Apple Vision Pro Vulnerability Exposed Virtual Keyboard Inputs to Attackers

From thehackernews.com

Details have emerged about a now-patched security flaw impacting Apple’s Vision Pro mixed reality headset that, if successfully exploited, could allow malicious attackers to infer data entered on the device’s virtual keyboard.

The attack, dubbed GAZEploit, has been assigned the CVE identifier CVE-2024-40865.

“A novel attack that can infer eye-related biometrics from the avatar image to reconstruct text entered via gaze-controlled typing,” a group of academics from the University of Florida, CertiK Skyfall Team, and Texas Tech University said.

“The GAZEploit attack leverages the vulnerability inherent in gaze-controlled text entry when users share a virtual avatar.”

Following responsible disclosure, Apple addressed the issue in visionOS 1.3 released on July 29, 2024. It described the vulnerability as impacting a component called Presence.

Read more…