YoungWoon Kim, YeChan Jeon, Duyeong Kim & Hee Seong An

Talk Title:

A broken commercial metaverse-based virtual office platform

Abstract:

Currently existing metaverse-based virtual office platforms are at risk. A total of 31 vulnerabilities were found on four platforms, and fatal attacks such as RCE, LPE, Eavesdropping, XSS, and DoS were identified. Through this study, we identified possible threats, attack scenarios, and influences based on vulnerabilities and proved with PoC code that these attacks can occur.

We identified 13 common virtual office functions through functional analysis, identified the structure based on tech-stack for each platform, and selected attack vectors. Vulnerabilities occurred in various environments such as the web, binary, and VR/XR, and could affect space theft, internal object destruction, malicious code execution, denial of service, unauthorized use of functions, and paid function bypass.

We reported countermeasures to the vulnerabilities that occurred in Gethertown, Orbis, Kumospace, and Space platforms in consideration of the damage that these vulnerabilities could cause to users.

Finally, we look at threats that may arise from other metaverse-based platforms and assets that are targeted to be stolen from an attacker's point of view. It also provides technical measures to prevent these attacks and security measures that can be taken in the design process.

Bio:

Best of the Best 10th, Team MetaVersPloit

Email : [email protected]