Meta has fixed a serious security flaw that allowed users of its Meta AI chatbot to access private prompts and AI responses belonging to other users.
The vulnerability was discovered by Sandeep Hodkasia, founder of security testing firm AppSecure, who received a ten-thousand-dollar bug bounty for responsibly reporting the issue.
Hodkasia uncovered the flaw in December 2024 after analyzing how Meta AI lets users edit their prompts to regenerate responses. He found that Meta’s back-end servers assigned a unique and easily guessable number to each prompt. By modifying this number in browser network traffic, he was able to view prompts and responses submitted by other users.
Meta confirmed it deployed a fix on January 24, 2025, and found no signs that the vulnerability had been maliciously exploited. A spokesperson said the company rewarded the researcher and took swift action after the report.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
