Why on earth would the backend function even take an email?

Or perhaps said different: use the submitted info to identify the account; send any sensitive messages (recovery codes, password resets whatever) to only the contact info on file. If the chat bot can send such email it should do so via an API that sends only to contact info on file for the associated account and not to an email that's provided by the bot.

> Why on earth would the backend function even take an email?

In principle, it could be designed to do so to handle cases where a new email address has been confirmed out of band, e.g. for an account representing a company or a political office. But that's a relatively unusual situation, not something you'd want to be available to every user writing in. (Even if you had an all-human support department, this sort of functionality would only be available to a select few agents.)

Some sites do this to prevent password recovery spam; you need to provide two pieces of information. Ideally not telling the client if they wrote the wrong email, that'd be a security issue of its own.

When such systems are hooked up to a web page they often will ask which contact should receive the reset code

(Pick one:

"send text to number ending in -1234"

"send text to number ending in -5678"

"send email to jo......th@gmail.com" )

Fair enough. Never trust client-submitted browser form, but always trust LLM-submitted form.

If the backend function was so poorly coded to allow such a gargantuan security hole, then it is an even worse problem. Basically Meta is throwing its own engineers under the bus so that its AI chatbot can save face. Scary stuff.

Unless the backend was _also_ vibe-coded, in which case it is still an AI problem.

Okay, I hear you. I do. From a technical viewpoint, that may very well be how their systems are implemented. But this still doesn't answer the question of why the fuck this matters to these states' AGs and the people they represent.