Apple Fixes Vision Pro Security Flaw That Could Expose What You Typed

[Damian83]

The thing is that I suspect they were capturing the password to unlock your Vision Pro which could be the same as your iPhone/Mac etc which then unlocks everything. Or even the password for the password manager.

Yes, that was my understanding also. And if you use the same for your iPhone and AVP, or if they capture you unlocking your Apple ID etc, it can become a bigger deal.

why u should digit your apple id password or even the passcode to access AVP, during a video call? you're already logged in order to make a call or everything else 🤦‍♂️🤦‍♂️🤦‍♂️

 

[jacobgkau]

Exactly this. This means they’re already in your house so you have bigger problems.

What? It means you're on a video call with them. It's a fundamental design oversight.

 

[Westside guy]

Five passwords were
12345
56789
98756
Password123
Password.

You forgot "hunter2".

 

[Westside guy]

This seems like an inelegant solution to this problem. Surely they could just slightly randomize where your eyes are looking when the keyboard is open, vs completely cutting the “video” feed? It’s a 3D model that’s puppeteered by you moving your face/eyes/mouth… it doesn’t have to precisely match reality.

They could briefly replace the image of your eyes with those of Marty Feldman!

 

[augustrushrox]

There are people still using Apple Vision Pro?

 

[russell_314]

You do know that some people are using their Vision Pro outside of their home, right? And as more people buy the Vision Pro over time, you'll see more people using them away from home.

https://twitter.com/x/status/1753839916948009316

View attachment 2416578 View attachment 2416579

You do know that if you’re using a MacBook on the subway, it has the same vulnerability right? I can capture your key strokes and everything you’re doing as long as I’m within sight of you.

If it’s remote then that’s a bigger vulnerability. Either way it’s good that it’s patched

 

[swester]

Phew, 20 people were relieved to hear this was fixed!

 

[!!!]

Absolute nothingburger of a vulnerability.

Like most vulnerability research these days, it's focused on resume padding rather than finding significant vulnerabilities. It's gotten to the point that it's become concern trolling in some projects.

 

[MadDawg2020]

And this affects the tens of users who actually use Apple Vision to conduct sensitive transactions.

 

[CookItOff]

Each key of your keyboard makes a unique sound regardless if a human can hear the subtlties. I can setup a recoder and record everything you type on your machine for a couple of days and then analize it when I get back home. These kind of exploits have been around for ages and it's why keychains and biometrics are so important.

 

[no_idea]

Sure this will make all 300 remaining Vision Pro owners very happy

 

[Polinsky]

Absolute nothingburger of a vulnerability.

People that say that usually get nailed by it. One can hope.

 

[platinumaqua]

That’s a why it’s good avoid 1st gen products, let others fix the issues

and g1 products always have shorter support cycles: iPhone, iPad, Intel Mac, Apple Watch, Apple TV

 

[marzer]

Not just a nothingburger but absurd! What's the chance you'd run into anyone possessing this skill! If you're significant enough to be tracked by the CIA or [KGB], they already HAZ ALL YOU passwords. Imagine the precise conditions for the one-in-hundred-thousand (or less) eye decoder to even track your eye movement in any given environment: head and body movement, shadowing, reflection, distracting environmental noise and movement, changing distance between, etc. So now they have a (supposed) password...now what? What site? What service? What username? Your encrypted WiFi is easier to breach than this is a security threat...James Bond knows to turn his head in a different direction when virtual typing a password...Should a random stranger ask you what site or service you are accessing on the goggles just walk away. DENIED!

 

[turbineseaplane]

There are people still using Apple Vision Pro?

yes -- all 26 of them post about it here daily

 

[bgillander]

So if I ignore the person I am talking with in FaceTime and weirdly decide to do some secure banking at that time instead, the other party can’t even guess my password within five tries almost a quarter of the time? Seems unfair. Too bad the AVP cannot just slap some sense into me for even doing that.

 

[0186279]

Still can't believe anyone finds this technology or its implications attractive.

 

[mudflap]

They could briefly replace the image of your eyes with those of Marty Feldman!

You take the blonde, I'll take the one in the turban! (Pronounced old-timey like "toy-bin" of course.)

 

[AlexJaye]

Excellent news for the 14 people who use this. 💜

 

[AlexJaye]

You do know that some people are using their Vision Pro outside of their home, right? And as more people buy the Vision Pro over time, you'll see more people using them away from home.

https://twitter.com/x/status/1753839916948009316

View attachment 2416578 View attachment 2416579

This is the most ridiculous sight … truly

 

[Reason077]

Apple Fixes Vision Pro Security Flaw That Could Expose What You Typed​

P o r n h u b . c o m

h o t V R b a b e s

🫢

 

[Stiksi]

You do know that some people are using their Vision Pro outside of their home, right? And as more people buy the Vision Pro over time, you'll see more people using them away from home.

https://twitter.com/x/status/1753839916948009316

View attachment 2416578

Vision users showing how much they have left in their bank account.

 

[GrayFlannel]

Each key of your keyboard makes a unique sound regardless if a human can hear the subtlties. I can setup a recoder and record everything you type on your machine for a couple of days and then analize it when I get back home. These kind of exploits have been around for ages and it's why keychains and biometrics are so important.

Your windows behave like a speaker so I can listen to your conversations by directing a laser onto it from my van parked down the street.

 

[bgillander]

This seems like an inelegant solution to this problem. Surely they could just slightly randomize where your eyes are looking when the keyboard is open, vs completely cutting the “video” feed? It’s a 3D model that’s puppeteered by you moving your face/eyes/mouth… it doesn’t have to precisely match reality.

Why randomize your eyes? Why not just have you stare blankly like you are paying no attention to the other members of the video call? Isn't that what is actually being done if one is logging into something else while in the middle of a video call?

I'm trying to see the real world scenario for this, other than simply trying to see if you could guess someone's password if they try to log into a secure site while you are in the middle of a video call. The only one I can really see is that now I will be able to just type on the virtual keyboard to hide my rolling eyes when someone says something I think is just silly.

 

[bgillander]

In short, the researchers said that a person's gaze typically fixates on a key they are likely to press next, and this can reveal some common patterns. As a result, the researchers said they were able to identify the correct letters people typed in messages 92% of the time within five guesses, and 77% of the time for passwords.

Sorry, I went to the Wired story just to make sure I wasn't reading this wrong.

Getting 1 in 5 guessed passwords right 77% of the time means they had a really low success rate. It means that 23% of the time they couldn't even get the password at all, and they potentially got it wrong 80% of the time in what they consider "successful" guesses. Holy moly, I wish I could get evaluated by their low standards.