Metaverse platforms promise its users that they can access virtual worlds from the privacy and comfort of their homes and can interact with others in a secure and private manner. But research by CISPA found that this is just an empty promise, because metaverse can have significant risks like lack of privacy which can result in rise in cyberattacks. The researcher, Andrea Mengascini, said that during studing metaverse and virtual reality, he found that online games and metaverse use the same technology. Metaverse is a virtual social place where people can interact with each other, within the rules similar to that of the physical world. People can find digital copies of the real world and the system uses JavaScript to manage 3D environments. It not only provides a good interface to smoothly run the virtual world, but is also responsible for security.
The researcher put forward three questions for his research: What type of objects or things exist in Metaverse and how are they assigned? Where are all these things stored and how can attackers access those things in memory?, and how can attackers use memories to exploit the users of Metaverse. The researcher found that there are 27 Metaverse platforms that use WebXR API, and he examined three of them in detail. User activity, popularity, coverage and internet traffic were kept in mind before choosing three platforms. He then captures snapshots that were taken before and after doing a specific action. Afterwards, he checked if any changes took place and if that action he did could be read in the web browser’s memory.
The researcher found that most of the things can easily be read as the browser’s memory is easily accessible. Even if someone is not an expert, he can still have access to it. The developers of those sites have missed some common coding practices that could ensure the privacy of users and won't disclose any information about the client. As a result, hackers can easily access that information and attacks are possible.
Attackers are able to control avatars and even the scenarios that victims are using and they can position themselves in a room where they can hear and watch everything. It's like using VR glasses of users, without them realizing that an attacker is infiltrating their space. The researcher then contacted the developers of those three platforms that were examined and told them about the issue on their platforms. The developers haven't changed anything about their platforms yet, but they may soon try to do anything about it. Andrea Mengascini also said that he has proposed some protection mechanisms that can be implemented on those metaverse platforms to ensure the safety of clients.
Image: DIW-Aigen
Read next: Google's Gemini Struggles to Catch Up to OpenAI's ChatGPT in Download Race on App Stores
The researcher put forward three questions for his research: What type of objects or things exist in Metaverse and how are they assigned? Where are all these things stored and how can attackers access those things in memory?, and how can attackers use memories to exploit the users of Metaverse. The researcher found that there are 27 Metaverse platforms that use WebXR API, and he examined three of them in detail. User activity, popularity, coverage and internet traffic were kept in mind before choosing three platforms. He then captures snapshots that were taken before and after doing a specific action. Afterwards, he checked if any changes took place and if that action he did could be read in the web browser’s memory.
The researcher found that most of the things can easily be read as the browser’s memory is easily accessible. Even if someone is not an expert, he can still have access to it. The developers of those sites have missed some common coding practices that could ensure the privacy of users and won't disclose any information about the client. As a result, hackers can easily access that information and attacks are possible.
Attackers are able to control avatars and even the scenarios that victims are using and they can position themselves in a room where they can hear and watch everything. It's like using VR glasses of users, without them realizing that an attacker is infiltrating their space. The researcher then contacted the developers of those three platforms that were examined and told them about the issue on their platforms. The developers haven't changed anything about their platforms yet, but they may soon try to do anything about it. Andrea Mengascini also said that he has proposed some protection mechanisms that can be implemented on those metaverse platforms to ensure the safety of clients.
Image: DIW-Aigen
Read next: Google's Gemini Struggles to Catch Up to OpenAI's ChatGPT in Download Race on App Stores