"Hacking the Metaverse: Why Meta Wants You to Find the Flaws in Its Newest Headsets"

When a new technology arrives, cybercriminals often instantly explore its potential benefits. Internet of Things (IoT) devices and other technologies are targeted by cybercriminals seeking to steal passwords, personal information, bank account information, and more. As the metaverse and Virtual Reality (VR) increase in adoption, these platforms will quickly become the focus of cybercriminals eager to uncover and exploit weaknesses in hardware and software, or possibly use the technology to facilitate their schemes. Now, Facebook owner Meta wants to get ahead of the hackers by asking security researchers to identify vulnerabilities and issues in metaverse-related products such as Meta Quest, Meta Quest Pro, and the Meta Quest Touch Pro, with bug bounty payments that could reach hundreds of thousands of dollars for genuine disclosures. Since 2011, Facebook has run a bug bounty program for its web applications. However, despite the metaverse being a crucial component of Meta's business model, the company is still relatively new to producing hardware. By allowing independent cybersecurity experts to hack the metaverse, the company hopes to improve the security of all its products. This effort includes having security researchers and hackers explore Meta's VR headsets through Meta BountyCon, a security conference centered on bug bounties that enable researchers to have hands-on experience with the products. Neta Oren, security analyst manager and bug bounty lead at Meta, described the most recent event's emphasis on new vulnerabilities in the VR area as a step towards the objective of making the entire industry safer. The bug bounty program has already led to the discovery of vulnerabilities that were not previously known. One researcher discovered a flaw in Meta Quest's oAuth flow, an open standard used to grant websites or applications access to users' information on other websites, which may have allowed an attacker to take control of a user's access token and account. Another researcher discovered a flaw that could have allowed an attacker to circumvent SMS-based two-factor authentication (2FA) by exploiting a rate-limiting issue to brute-force the verification PIN necessary to validate a user's phone number. This article continues to discuss the Meta BountyCon and the vulnerabilities that have already been discovered. 

ZDNet reports "Hacking the Metaverse: Why Meta Wants You to Find the Flaws in Its Newest Headsets"

Submitted by Anonymous on