Thirty study participants playtested an innocent-looking "escape room" game in virtual reality (VR). Behind the scenes, an adversarial program had accurately inferred over 25 personal data attributes, from anthropometrics like height and wingspan to demographics like age and gender, within just a few minutes of gameplay. As notoriously data-hungry companies become increasingly involved in VR development, this experimental scenario may soon represent a typical VR user experience. While virtual telepresence applications (and the so-called "metaverse") have recently received increased attention and investment from major tech firms, these environments remain relatively under-studied from a security and privacy standpoint. In this work, we illustrate how VR attackers can covertly ascertain dozens of personal data attributes from seemingly-anonymous users of popular metaverse applications like VRChat. These attackers can be as simple as other VR users without special privilege, and the potential scale and scope of this data collection far exceed what is feasible within traditional mobile and web applications. We aim to shed light on the unique privacy risks of the metaverse, and provide the first holistic framework for understanding intrusive data harvesting attacks in these emerging VR ecosystems.

翻译：三十名研究参与者在虚拟现实（VR）中试玩了一款看似无害的“密室逃脱”游戏。在后台，一个对抗性程序在短短几分钟的游戏过程中，准确推断出了超过25项个人数据属性，从身高、臂展等人体测量学数据，到年龄、性别等人口统计学信息。随着以数据贪婪著称的公司越来越多地参与VR开发，这种实验场景可能很快成为典型的VR用户体验。尽管虚拟临场应用（以及所谓的“元宇宙”）近年来已获得大型科技公司越来越多的关注和投资，但从安全与隐私的角度来看，这些环境仍相对缺乏研究。在这项工作中，我们展示了VR攻击者如何能够秘密地从热门元宇宙应用（如VRChat）中看似匿名的用户中获取数十项个人数据属性。这些攻击者可以简单到只是普通的其他VR用户，无需特殊权限，而这种数据收集的潜在规模和范围远远超出传统移动和网络应用所能实现的程度。我们旨在阐明元宇宙中独特的隐私风险，并首次提出一个整体框架，用于理解这些新兴VR生态系统中的侵入式数据窃取攻击。