Home > Tech

Apple fixes dangerous 'GAZEploit' Vision Pro security flaw

Hackers could've stolen your passwords just by observing your eye movements.
By Stan Schroeder  on 
Share on Facebook Share on Twitter Share on Flipboard
Apple Vision Pro
It's all in the eyes. Credit: Apple

Apple's Vision Pro has a way of showing the world a virtual version of you while you interact with others in virtual reality. Unfortunately, this very feature – called Persona – could've been used by hackers to steal a Vision Pro user's sensitive data.

The security flaw was discovered by a group of six computer scientists from the University of Florida's Department of Computer Science, and it was first reported on by Wired.

The GAZEploit attack, as it was dubbed by the researchers, works by tracking the eye movements of a user's Persona to identify when they're typing something on the Vision Pro's virtual keyboard. The researchers discovered that users tend to direct their gaze onto specific keys that they're about to click, and were able to construct an algorithm that identified what the users were typing. The results were quite accurate; for example, the researchers were able to identify the correct letters of users' passwords 77 percent of the time. When it came to detecting what people were typing in a message, the results were accurate 92 percent of the time.

Mashable Light Speed
Want more out-of-this world tech, space and science stories?
Sign up for Mashable's weekly Light Speed newsletter.
By signing up you agree to our Terms of Use and Privacy Policy.
Thanks for signing up!

The researchers disclosed the vulnerability to Apple back in April, and Apple fixed it in visionOS 1.3, which came out in July. In the release notes, Apple says that the flaw enabled inputs to the virtual keyboard to be inferred from Persona.

"The issue was addressed by suspending Persona when the virtual keyboard is active," Apple wrote in the release notes. Vision Pro users who haven't yet updated to the latest version are advised to do so as soon as possible.

Related Stories

While simply disabling Persona while the user is typing was a pretty simple fix, the flaw does raise the question of just how much info a malicious hacker could infer just by observing a virtual version of you.

SEE ALSO: Apple Vision Pro: I watched a Billie Eilish concert in Bora Bora — and I didn't need to spend a penny

The researchers said that the attack hasn't been used against someone using Personas in the real world. But what makes this attack particularly dangerous is that it only requires a video recording of someone's Persona while the person was typing, meaning an attacker could still use it on an older video. It seems that the only way to mitigate this issue is to erase any publicly available videos where your Persona is visible while typing; we've reached out to Apple for clarification on what can be done to protect your data.

Topics Apple Cybersecurity

Stan Schroeder
Stan Schroeder
Senior Editor

Stan is a Senior Editor at Mashable, where he has worked since 2007. He's got more battery-powered gadgets and band t-shirts than you. He writes about the next groundbreaking thing. Typically, this is a phone, a coin, or a car. His ultimate goal is to know something about everything.

Recommended For You
The next Apple Vision Pro could have Apple Intelligence — how AI will reportedly fix the headset's flaws
By Matt Binder
Apple Vision Pro
Apple Vision Pro: I watched a Billie Eilish concert in Bora Bora — and I didn't need to spend a penny
By Kimberly Gedeon
Billie Eilish superimposed on a picture of Bora Bora
XREAL Beam Pro is supposed to turn my AR glasses into an Apple Vision Pro dupe — it didn't go as expected
By Kimberly Gedeon
Man wearing XREAL Air 2 Pro with Beam Pro
Apple fixes iPhone 16 touch screen bug in iOS 18.0.1
By Stan Schroeder
Apple iOS 18
Social Security data breach: 7 steps to take if you're affected, according to the Social Security Administration
By Kimberly Gedeon
Social Security card with the words 'Data Breach' stamped across it
Trending on Mashable
Wordle today: Answer, hints for October 11
By Mashable Team
a phone displaying Wordle
NYT Connections today: Hints and answers for October 11
By Mashable Team
A phone displaying the New York Times game 'Connections.'
NYT Connections today: Hints and answers for October 10
By Mashable Team
A phone displaying the New York Times game 'Connections.'
Astronomers just found a galaxy way too advanced for its time
By Elisha Sauers
Galaxy forming in the early universe
'The Platform 2's twisty ending, explained
By Sam Haysom
A close-up of a topless, bald man holding a lit lighter.
The biggest stories of the day delivered to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up. See you at your inbox!