Metaverses are virtual worlds where users can engage in social exchanges, collaborate, or play games. Their clients now are JavaScript programs that run inside modern web browsers. They implement functionalities typical of multiplayer video games, like 3D and physics engines, requiring them to maintain complex data structures of objects in the browser’s memory. Unfortunately, these objects can be accessed and manipulated by malicious users, allowing them to learn about events beyond the ones rendered on screen or to hijack the physics of the metaverse to spy on other users.
In this paper, we propose one of the first comprehensive security assessments for web clients of metaverse platforms. We begin with a survey and selection of three metaverse platforms — FrameVR, Mozilla Hubs, and Somnium Space — and introduce a softwarecentric threat modeling approach designed to identify the securityrelevant entities. Then, we propose a JavaScript global object snapshot diffing technique to identify in-memory objects correlated with the attribute and design 10 attacks, of which eight successfully executed against at least one of the metaverses, enabling a malicious user to perform audio/video surveillance or continuous
user position tracking — to mention a few — who could exacerbate current threats posed by stalkers and online abusers. Finally, we discuss the implications of our attacks should the metaverse become a business tool and possible solutions.
History
Primary Research Area
Empirical and Behavioral Security
Name of Conference
ACM Conference on Computer and Communications Security (CCS)
Journal
Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security
BibTeX
@conference{Mengascini:Aurelio:Pellegrino:2024,
title = "The Big Brother’s New Playground: Unmasking the Illusion of Privacy in Web Metaverses from a Malicious User’s Perspective",
author = "Mengascini, Andrea" AND "Aurelio, Ryan" AND "Pellegrino, Giancarlo",
year = 2024,
month = 1,
journal = "Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security"
}