A team of researchers at the University of New Haven recently uncovered an exploit that could mean a serious security threat to apps built on the Unity game engine. Bigscreen Beta, the Unity-based social VR platform that lets you stream you monitor to others and chat in virtual reality, was particularly vulnerable before being patched last week.

Bigscreen founder and CEO Darshan Shankar says the exploit was “reported to us and has been fixed already” and that it was “not exploited by hackers, and no one is currently vulnerable to this issue. It is fixed.”

The security patch was also publicly noted in the app’s most recent update log, among which included a number of new features such as real-time raytracing lighting effects, new environments, new avatars, and new user interface.

Before the vulnerability was patched in a recent Bigscreen Beta update, University of New Haven researchers were able to accomplish a dizzying list of bad deeds using their own ‘command and control’ tool in effort to not only render the platform unsafe for private conversation, but also potentially infect computers with any type of malware by using Unity’s OpenURL command.

Unity has since issued a warning to developers who use the OpenURL command in their games, saying “you must be extremely careful that you do not provide a string to this function which could possibly be maliciously crafted or modified by a 3rd party.”

SEE ALSO
'Bigscreen' Overhaul Brings Big Improvements & New Features to All Supported Platforms

The researchers say in a news update that without a user’s knowledge and consent—and even without tricking users into downloading software or granting access to the computer—they were able to:

  • Turn on user microphones and listen to private conversations
  • Join any VR room including private rooms
  • Create a replicating worm that infects users as soon as they enter a room with other VR users
  • View user computer screens in real-time
  • Send messages on a user’s behalf
  • Download and run programs – including malware – onto user computers
  • Join users in VR while remaining invisible. This novel attack was termed as a Man-In-The-Room (MITR) attack
  • Phish users into downloading fake VR drivers

“Our research shows hackers are able to monitor people day in and day out – listen to what they are saying and see how they are interacting in virtual reality,” said Dr. Ibrahim Baggili, founder and co-director of the University of New Haven Cyber Forensics Research and Education Group. “They can’t see you, they can’t hear you, but the hacker can hear and see them, like an invisible Peeping Tom. A different layer of privacy has been invaded.”

The team also created a video showing just what deleterious effects the exploit could have wrought on users if they didn’t find it and report it first.

Thankfully, what could have been a disaster for the platform’s users, which use the app both as a virtual desktop and shared viewing platform, was averted before any harm could be done.

“Working alongside security researchers and our internal security & QA practices will help us stay ahead of malicious hackers,” Shankar told Road to VR.

This article may contain affiliate links. If you click an affiliate link and buy a product we may receive a small commission which helps support the publication. See here for more information.


  • jj

    “you must be extremely careful that you do not provide a string to this function which could possibly be maliciously crafted or modified by a 3rd party.”

    This means any game aside from big screen that uses Application.OpenURL is still able to be exploited….. Man i love Unity a lot more than Unreal but this is a tough blow.

    especially because they’re leaving it for devs to fix and some might never become aware of this exploit until its too late.

    • Hivemind9000

      It’s a bigger problem than Unity. It’s an issue with URLs in general which is a problem for web developers as well – Cross Site Scripting attacks, SQL injection attacks etc. The problem is distinguishing what is a legitimate link for the app and what is a malicious link – something generally only the developer can determine (with domain rules, inbound http request parsing etc). And any app/game where users are able to share links opens them up to all sorts of phishing attacks.

      From the wording in Bigscreen’s blog post it looks like the vulnerability was fixed at the server level (probably parsing inbound http/URL requests). Not sure what they use for their back end but it seems to be outside of the control of Unity itself. Wish there was a bit more information on the exploit – “how” rather than “what” – that would be more helpful for developers to figure out how to protect their app and users/players.

      • Frederica

        Internet work opportunities are increasingly becoming a trend in all over world now. A recent research tells over 78% of people are being part of web based job opportunities at home without having issues. Everyone really wants to spend more time with his/her mates by going to any specific attractive place in the world. So web based earning enables you to complete the work at any time you want and enjoy your life. Though finding the right method furthermore setting a proper target is our milestone towards achieving success. Already most people are getting such a decent profit of $45000 every week with the help of recommended as well as efficient ways to generating income on line. You will start to earn from the first day when you browse through our web-site. >>>>> https://kutt.it/iT0LvO

      • Bertie

        Affiliate work opportunities are becoming a emerging trend in all over world nowadays. A newly released study tells us above 77% of people are being part of internet job opportunities at their home without the issues. Everybody likes to spend some time daily with his/her friends by going any specific wonderful place in the world. So internet earning allows you to carry out the work at any time you want and enjoy your life. Still picking the best track furthermore building a proper objective is our strategy toward financial success. Already most people are making such a solid pay check of $21000 weekly with the help of highly recommended and outstanding ways of making money online. You can begin to get paid from the first day at the time you look at our website. >>>>> https://iplogger.org/2L7Cj5

  • Firestorm185

    Lets Hope VRChat takes care of this problem too

  • Mateusz Pawluczuk

    Sounds like Ready Player One (Book) where Clive envisioned this kind of Man In The Room hack (along with unintented object interaction that could look like a weird glitch to an outsider, items seemingly moving by themselves etc).

    Obviously it’s great they fixed this asap but I could totally see this being used to create some first legimitate virtual pranks lol

  • JesuSaveSouls

    Jesus is God’s Son and Lord and Savior!

    • Adrian Meyer

      If you believe in fairy tales that is.

  • Adrian Meyer

    It’s good to see that honest people find these security flaws first, before any real damage is done. (hopefully)