Search for: All records

WebXR is a standard web interface for extended reality that offers virtual environments and immersive 3D interactions, distinguishing it from the traditional web. However, these novel UI properties also introduce potential avenues for dark design exploitation. For instance, the absence of iframe-like elements in WebXR can be exploited by third parties, such as ad service providers, to inject JavaScript scripts and induce unintentional clicks or extract sensitive user information. In this work, our objective is to identify and analyze the UI properties of WebXR vulnerable to exploitation by both first and third parties and to understand their impact on user experience. First, we examine vulnerable UI properties and propose five novel attack techniques that exploit one or more of these properties. We systematically categorize both existing and newly identified attacks within the advertising domain, to create a comprehensive taxonomy. Second, we design a user study framework to evaluate the impact of these attack categories employing dark designs on user experience. We develop a logging system to collect spatial data from 3D user interactions and integrate it with different WebXR applications that have different interaction needs. Additionally, we develop a set of metrics to derive meaningful insights from user interaction logs and assess how dark designs affect user behavior. Finally, we conduct a 100-participant between-subjects study using our user-study framework and survey. Our findings suggest that most of these dark patterns go largely unnoticed by users while effectively achieving their intended goals. However, the impact of these designs varies depending on their category and application type. Our comprehensive taxonomy, logging framework, metrics, and user study results help developers review and improve their practices and inspire researchers to develop more robust defense mechanisms to protect user data in immersive platforms. 

The WebXR API enables immersive AR/VR experiences directly through web browsers on head-mounted displays (HMDs). However, prior research shows that security-sensitive UI properties and the lack of an like element that separates different origins can be exploited to manipulate user actions, particularly within the advertising ecosystem. In our prior work, we proposed five novel UI-based attacks in WebXR, targeting the ad ecosystem. This demo presents these attacks in a unified gaming application, embedding each into distinct interactive scenarios. Our work highlights the need to address design challenges and requirements for improving immersive web-based experiences. We provide our demo video at: https://youtu.be/lTBQbxnNq34. 

Not Advancements in the extended reality (XR) has resulted in the emergence of WebXR, an XR-open standard interface that enables users to access immersive virtual environments via a browser without additional software. Following this, diverse applications are being developed for WebXR ranging from gaming and shopping to medical and military use. However, recent research indicates that various UI properties in WebXR, such as synthetic input and same-space overlapping objects, can be exploited by adversaries to manipulate users into unintentional actions, especially in the advertising ecosystem. The consequences range from system malfunctions and user data loss to financial and reputational impacts on several involved ad-stakeholders. 

We show a new type of side-channel leakage in which the built-in magnetometer sensor in Apple's mobile devices captures touch events of users. When a conductive material such as the human body touches the mobile device screen, the electric current passes through the screen capacitors generating an electromagnetic field around the touch point. This electromagnetic field leads to a sharp fluctuation in the magnetometer signals when a touch occurs, both when the mobile device is stationary and held in hand naturally. These signals can be accessed by mobile applications running in the background without requiring any permissions. We develop iSTELAN, a three-stage attack, which exploits this side-channel to infer users' application and touch data. iSTELAN translates the magnetometer signals to a binary sequence to reveal users' touch events, exploits touch event patterns to fingerprint the type of application a user is using, and models touch events to identify users' touch event types performed on different applications. We demonstrate the iSTELAN attack on 22 users while using 7 popular app types and show that it achieves an average accuracy of 90% for disclosing touch events, 74% for classifying application type used, and 73% for detecting touch event types.