A group of computer scientists earlier this year discovered an Apple Vision Pro security vulnerability that allowed them to determine what users were typing, even passwords, PINs, and messages, according to a report by WIRED.
The attack, dubbed GAZEploit and shared exclusively with WIRED, allowed the researchers to successfully reconstruct passwords, PINs, and messages people typed with their eyes.
When a Vision Pro user was using a virtual Persona avatar, the researchers were able to analyze the Persona’s eye movements to determine what the user was typing on the Vision Pro’s virtual keyboard when using apps like Zoom, Teams, Slack, Reddit, Tinder, Twitter, Skype, and FaceTime.
Researchers said the exploit worked due to how a user’s gaze tends to fixate on whatever key they would likely be pressing next, revealing some common patterns. Researchers said they were able to identify the letters people entered 92% of the time within five guesses, and 77% of the time when passwords were being entered.
The researchers told Apple about the vulnerability back in April, and the company fixed the issue in visionOS 1.3 in July. Personas are now suspended when the Vision Pro’s virtual keyboard is active.
Apple added the following entry to its visionOS 1.3 security notes on September 5:
Presence
Available for: Apple Vision Pro
Impact: Inputs to the virtual keyboard may be inferred from Persona
Description: The issue was addressed by suspending Persona when the virtual keyboard is active.
CVE-2024-40865: Hanqiu Wang of University of Florida, Zihao Zhan of Texas Tech University, Haoqi Shan of Certik, Siqi Dai of University of Florida, Max Panoff of University of Florida, and Shuo Wang of University of Florida
The report says the proof-of-concept attack was not exploited in the wild. However, Vision Pro users are urged to immediately update the headset to visionOS 1.3 or later.
