Researchers from the University of Florida have identified a significant security vulnerability in Apple's Vision Pro mixed reality headset, dubbed GAZEploit.

The attack can be executed remotely, requiring only video footage of the user's avatar to infer typed information, making it a more realistic threat.

The research also involved geometric calculations to determine the keyboard's position and size based on gaze information.

To mitigate risks, users are advised to keep their software updated, adjust privacy settings, and avoid entering sensitive information in VR environments.

Users input text in virtual reality by focusing on a virtual keyboard, with the device tracking their eye movements instead of using physical buttons.

The researchers achieved a remarkable 92% accuracy in identifying letters typed by analyzing the eye movements of the Persona, the avatar representing the user.

Although the GAZEploit attack has not been utilized in real-world scenarios, it poses potential risks, particularly during sensitive activities like logging in.

In response to this vulnerability, Apple has issued a patch that suspends the Persona feature when the virtual keyboard is active to prevent data leakage.

During these calls, the avatar's eye movements mimic the user's gaze, allowing attackers to monitor these movements and infer which keys are being targeted on a virtual keyboard.

By analyzing the avatar's eye movements, researchers reconstructed the keys pressed by users typing messages, passwords, URLs, emails, and passcodes with high accuracy.

Experts warn that users of wearable technology often underestimate the amount of personal information these devices can collect and share, raising significant privacy concerns.

This exploit can reveal sensitive information, such as passwords, by tracking the eye movements of users' avatars during video calls.