2024-10-01
Conference: CCS
Metaverses are evolving virtual worlds where users can interact in immersive environments via web clients that run in modern browsers. Unfortunately, the data structures behind these environments, implemented through JavaScript and 3D engines, are vulnerable to malicious manipulation. This paper provides a comprehensive security assessment of web metaverse clients from a malicious user's perspective. We analyze three popular metaverse platforms, using a software-centric threat modeling approach to identify in-memory objects and propose ten potential attacks, eight of which were successfully demonstrated. Our analysis reveals severe privacy risks, including attacks such as audio/video surveillance and continuous user tracking, which could amplify the threats posed by online abuse and stalking.
This paper explores the security and privacy issues present in web-based metaverse platforms by analyzing the JavaScript programs behind these virtual worlds. The researchers conducted a comprehensive threat modeling process, identifying vulnerabilities within the data structures that manage 3D objects and interactions in the metaverse. By diffing JavaScript global objects, they pinpointed attributes that could be manipulated and successfully implemented eight out of ten proposed attacks, highlighting significant weaknesses in metaverse privacy protections. These attacks included real-time tracking of user positions, audio and video surveillance, and even techniques allowing the hijacking of other users' points of view without detection. The study emphasizes the risks of using metaverses for social and business purposes without addressing these security flaws.