By taking advantage of unknown vulnerabilities, hackers could have hacked into people’s computers just by having them join a chat room in the popular virtual reality applications Steam VR and VRChat.
Security researchers Alex Radocea and Philip Pettersson found vulnerabilities in three different virtual reality platforms that would have allowed hackers to take over the target’s computer, as the researchers explained in a talk at the Recon hacking conference in Montreal last week. The vulnerabilities were in VRChat, the virtual home feature of Valve's Steam VR, and High Fidelity, an open-source platform for virtual reality.
The researchers said they reported the vulnerabilities to the VR developers, which fixed them. But these bugs show that VR developers have a lot of work to do to secure their users.
“When you get hacked in virtual reality you can definitely feel that yourself. The attacker has complete access to your senses,” Pettersson said in a phone call. “He can see through your eyes—the headsets have cameras. He can hear what you're saying—they have microphones. He can project images into your retina. He can modify this virtual world in any way he wants.”
Have a tip about a data breach or a security incident? You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at This email address is being protected from spambots. You need JavaScript enabled to view it., or email This email address is being protected from spambots. You need JavaScript enabled to view it.
Petterson and Radocea said that the VRChat and Steam VR vulnerabilities were particularly dangerous.
By embedding an exploit in a chat room, all a hacker had to do was invite people to it to take over their computers. At that point, the hacker could turn on their webcams, microphones, or manipulate what they see within their VR headset. Hackers could have even made this into a worm, a self-spreading VR malware that infected anyone who entered a chat room, and then invited all their friends to enter the malicious chat room—potentially reaching all VRChat or Steam VR users, just like the infamous MySpace worm did in 2005.
“[Hackers could] create a program that invites all of their friends into the room and once they get infected, it also invites all their contacts into the room,” Radocea said.
The researchers made a demo video showing how a hack like this would look like.
VRChat, Valve, and High Fidelity did not immediately respond to a request for comment.
Radocea and Petterson said their research serves as a warning to VR makers to step up their security game and make sure their platforms are not easily exploitable.
Subscribe to our new cybersecurity podcast, CYBER.