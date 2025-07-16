Meta has patched a significant vulnerability in its AI chatbot platform that could have exposed users’ private conversations. The bug, discovered in late 2024 by security researcher Sandeep Hodkasia, founder of AppSecure, was disclosed to Meta and fixed by January 2025. The company has since confirmed that no malicious exploitation was detected.

The flaw was found in how Meta AI managed user prompts and their associated responses on the server. Each prompt and AI reply was assigned a unique numerical ID. During normal editing or regeneration of a prompt, these IDs were referenced in the backend.

By monitoring browser network traffic, Hodkasia discovered that these prompt IDs were not properly secured. Simply altering the numeric ID in a request allowed access to other users’ prompts and responses – a serious lapse in authorization controls. According to the researcher, the IDs were “easily guessable”, making it relatively simple to pull data from other users.

Meta’s Response

After receiving Hodkasia’s report in December 2024, Meta moved quickly to patch the issue the following month. The social media giant also awarded a $10,000 (approx. ₹8.5 lakh) bug bounty to the researcher. A Meta spokesperson confirmed that the issue was resolved and that no real-world exploitation was detected.

Why It Matters

This vulnerability underscores the critical importance of robust access control mechanisms in AI systems – especially those dealing with personal and sensitive user interactions. While the data was not publicly leaked, a flaw like this could have led to severe privacy breaches if left unpatched.

The incident also comes on the heels of previous concerns around Meta AI’s data handling. In June, users reported seeing sensitive AI-generated responses in their Discover feeds, prompting Meta to begin warning users against oversharing with the chatbot.

With AI platforms becoming more integrated into users’ daily lives, ensuring airtight security is essential. This case highlights how community-led disclosures and bug bounty programs play a key role in safeguarding user privacy.