CISPA
Browse
- No file added yet -

The Big Brother’s New Playground: Unmasking the Illusion of Privacy in Web Metaverses from a Malicious User’s Perspective

Download (1.21 MB)
conference contribution
posted on 2024-10-01, 12:11 authored by Andrea MengasciniAndrea Mengascini, Ryan AurelioRyan Aurelio, Giancarlo PellegrinoGiancarlo Pellegrino
Metaverses are virtual worlds where users can engage in social exchanges, collaborate, or play games. Their clients now are JavaScript programs that run inside modern web browsers. They implement functionalities typical of multiplayer video games, like 3D and physics engines, requiring them to maintain complex data structures of objects in the browser’s memory. Unfortunately, these objects can be accessed and manipulated by malicious users, allowing them to learn about events beyond the ones rendered on screen or to hijack the physics of the metaverse to spy on other users. In this paper, we propose one of the first comprehensive security assessments for web clients of metaverse platforms. We begin with a survey and selection of three metaverse platforms — FrameVR, Mozilla Hubs, and Somnium Space — and introduce a softwarecentric threat modeling approach designed to identify the securityrelevant entities. Then, we propose a JavaScript global object snapshot diffing technique to identify in-memory objects correlated with the attribute and design 10 attacks, of which eight successfully executed against at least one of the metaverses, enabling a malicious user to perform audio/video surveillance or continuous user position tracking — to mention a few — who could exacerbate current threats posed by stalkers and online abusers. Finally, we discuss the implications of our attacks should the metaverse become a business tool and possible solutions.

History

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

ACM Conference on Computer and Communications Security (CCS)

Journal

Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security

BibTeX

@conference{Mengascini:Aurelio:Pellegrino:2024, title = "The Big Brother’s New Playground: Unmasking the Illusion of Privacy in Web Metaverses from a Malicious User’s Perspective", author = "Mengascini, Andrea" AND "Aurelio, Ryan" AND "Pellegrino, Giancarlo", year = 2024, month = 1, journal = "Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security" }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC