TLDR: Meta has successfully addressed a significant privacy flaw in its AI chatbot platform that could have allowed unauthorized users to view private prompts and AI-generated responses from others. The vulnerability was responsibly disclosed by security researcher Sandeep Hodkasia, who received a $10,000 bug bounty for his discovery.
Meta has recently resolved a critical security vulnerability within its AI chatbot platform, which had the potential to expose users’ private prompts and the corresponding AI-generated responses to other individuals. The flaw, identified and responsibly disclosed by Sandeep Hodkasia, founder of the security testing firm AppSecure, led to a $10,000 (approximately ₹8.5 lakh) bug bounty reward for his efforts.
Hodkasia reported the issue to Meta on December 26, 2024, and the company subsequently deployed a fix on January 24, 2025. According to a Meta spokesperson, there was no evidence to suggest that the vulnerability had been maliciously exploited before its disclosure.
The core of the vulnerability lay in how Meta AI handled editable prompts. When users interact with the AI platform to generate text or images and then edit their original input, Meta’s backend systems assign a unique identification number (ID) to each prompt-response pair. Hodkasia discovered that these IDs, visible through browser developer tools, followed a predictable and easily guessable pattern. By simply manipulating these sequential numbers, he was able to access and view the private prompts and AI-generated replies of other users. The critical oversight was that Meta’s servers were not adequately verifying whether the person requesting to view the content was actually authorized to see it, effectively lacking user-specific access checks. This allowed for the potential scraping of user data at scale by a determined attacker using automated tools.
Also Read:
- Fact Check: Meta AI Does Not Access Private WhatsApp Chats or Contact Information, Viral Claim Debunked
- Google Gemini Vulnerability Exposes Users to Covert Phishing Attacks
This incident underscores the ongoing privacy and security challenges faced by technology companies as they rapidly deploy generative AI tools. It also brings to light previous privacy concerns associated with Meta AI, including instances where users unintentionally shared what they believed were private chats publicly when the standalone Meta AI app launched earlier this year. Despite the fix, the event renews discussions about data privacy in the evolving landscape of artificial intelligence.
