Search for: All records

WebXR is a standard web interface for extended reality that offers virtual environments and immersive 3D interactions, distinguishing it from the traditional web. However, these novel UI properties also introduce potential avenues for dark design exploitation. For instance, the absence of iframe-like elements in WebXR can be exploited by third parties, such as ad service providers, to inject JavaScript scripts and induce unintentional clicks or extract sensitive user information. In this work, our objective is to identify and analyze the UI properties of WebXR vulnerable to exploitation by both first and third parties and to understand their impact on user experience. First, we examine vulnerable UI properties and propose five novel attack techniques that exploit one or more of these properties. We systematically categorize both existing and newly identified attacks within the advertising domain, to create a comprehensive taxonomy. Second, we design a user study framework to evaluate the impact of these attack categories employing dark designs on user experience. We develop a logging system to collect spatial data from 3D user interactions and integrate it with different WebXR applications that have different interaction needs. Additionally, we develop a set of metrics to derive meaningful insights from user interaction logs and assess how dark designs affect user behavior. Finally, we conduct a 100-participant between-subjects study using our user-study framework and survey. Our findings suggest that most of these dark patterns go largely unnoticed by users while effectively achieving their intended goals. However, the impact of these designs varies depending on their category and application type. Our comprehensive taxonomy, logging framework, metrics, and user study results help developers review and improve their practices and inspire researchers to develop more robust defense mechanisms to protect user data in immersive platforms. 

The WebXR API enables immersive AR/VR experiences directly through web browsers on head-mounted displays (HMDs). However, prior research shows that security-sensitive UI properties and the lack of an like element that separates different origins can be exploited to manipulate user actions, particularly within the advertising ecosystem. In our prior work, we proposed five novel UI-based attacks in WebXR, targeting the ad ecosystem. This demo presents these attacks in a unified gaming application, embedding each into distinct interactive scenarios. Our work highlights the need to address design challenges and requirements for improving immersive web-based experiences. We provide our demo video at: https://youtu.be/lTBQbxnNq34. 

Not Advancements in the extended reality (XR) has resulted in the emergence of WebXR, an XR-open standard interface that enables users to access immersive virtual environments via a browser without additional software. Following this, diverse applications are being developed for WebXR ranging from gaming and shopping to medical and military use. However, recent research indicates that various UI properties in WebXR, such as synthetic input and same-space overlapping objects, can be exploited by adversaries to manipulate users into unintentional actions, especially in the advertising ecosystem. The consequences range from system malfunctions and user data loss to financial and reputational impacts on several involved ad-stakeholders.