A recent report by foreign media outlets indicates that security researchers have discovered a new method of attack targeting the Apple VisionPro, named GAZEploit. This exploit involves observing the eye movements of users' virtual avatars (Persona) during video calls to crack their passwords.

Researchers released demonstration videos showing how they track Persona's gaze patterns and accurately detect which keys on the virtual keyboard are being looked at when a user inputs their password in Vision Pro. When used as an independent device, Vision Pro displays a large-sized virtual keyboard that uses eye-tracking technology for key detection; however, during video calls, users' Personas reflect real-life eye movements precisely, allowing attackers to infer which keys they're typing by monitoring the avatar's gaze.

To refine this attack method further, researchers developed a neural network capable of determining whether or not someone is actively typing. During typing sessions, eyes tend to focus more intensely and exhibit periodic patterns while blink rates decrease.

The research team analyzed eye movements from 30 VisionPro users with an accuracy rate of 85.9%, suggesting that GAZEploit could potentially be used beyond password theft—also allowing attackers to spy on messages being typed or websites visited during video calls.