Thirty study participants playtested an innocent-looking "escape room" game in virtual reality (VR). Behind the scenes, an adversarial program had accurately inferred over 25 personal data attributes, from anthropometrics like height and wingspan to demographics like age and gender, within just a few minutes of gameplay. As notoriously data-hungry companies become increasingly involved in VR development, this experimental scenario may soon represent a typical VR user experience. While virtual telepresence applications (and the so-called "metaverse") have recently received increased attention and investment from major tech firms, these environments remain relatively under-studied from a security and privacy standpoint. In this work, we illustrate how VR attackers can covertly ascertain dozens of personal data attributes from seemingly-anonymous users of popular metaverse applications like VRChat. These attackers can be as simple as other VR users without special privilege, and the potential scale and scope of this data collection far exceed what is feasible within traditional mobile and web applications. We aim to shed light on the unique privacy risks of the metaverse, and provide the first holistic framework for understanding intrusive data harvesting attacks in these emerging VR ecosystems.

翻译：三十名研究参与者测试了一款外观无害的虚拟现实（VR）“密室逃脱”游戏。在幕后，一个对抗程序在短短几分钟的游戏时间内，准确推断出超过25项个人数据属性，从身高、臂展等人体测量学特征，到年龄、性别等人口统计学信息。随着对数据贪得无厌的公司越来越多地参与VR开发，这一实验场景可能很快成为典型的VR用户体验。尽管虚拟远程呈现应用（即所谓的“元宇宙”）近期受到大型科技公司越来越多的关注和投资，但从安全和隐私角度来看，这些环境研究仍相对不足。在本研究中，我们展示了VR攻击者如何从看似匿名的流行元宇宙应用（如VRChat）用户中隐秘地获取数十项个人数据属性。这些攻击者可以简单到仅为其他VR用户，无需特殊权限，且这种数据收集的潜在规模和范围远超传统移动及网络应用的可能性。我们旨在揭示元宇宙独特的隐私风险，并为理解这些新兴VR生态系统中的入侵式数据采集攻击提供首个整体框架。