Hacking the metaverse: Why Meta wants you to find the flaws in its newest headsets

Close-up of a young, blonde woman wearing a Meta Quest 2 VR headset

Image: Meta

When any new technology emerges, cyber criminals and fraudsters will almost immediately have a look to see what’s in it for them.

The internet, smartphones and the Internet of Things have increasingly become part of how we live our lives — and all of these technologies are targeted by malicious hackers looking to steal passwords, personal information, bank details, and more.

So, as the metaverse and virtual reality emerge as a new way to live, work and relax on the internet, these platforms will also rapidly become the target for cyber criminals, keen to find and exploit vulnerabilities in hardware and software or perhaps to use the technology to support their scams.

Now Facebook owner Meta, which is ploughing vast sums into its metaverse-building projects, wants to get ahead of the hackers by asking security researchers to identify vulnerabilities and issues in metaverse-related products, such as Meta Quest, Meta Quest Pro and the Meta Quest Touch Pro, with genuine disclosures rewarded with bug bounty payments that potentially amount to hundreds of thousands of dollars.

Facebook has operated a bug bounty program for its web applications since 2011, but despite the metaverse being a key pillar of Meta’s business strategy, the company is still relatively new to developing hardware.

However, by encouraging cybersecurity experts from outside Meta to hack the metaverse, the company’s looking to improve the security of products for everyone.

“One of our priorities is to further integrate the external research community with us on our journey to secure the metaverse. Because this is a relatively new space for many, we’re working to make the technology more accessible to bug hunters and to help them submit valid reports faster,” says Neta Oren, security analyst manager and bug bounty lead at Meta.

Part of the strategy behind this work involves getting Meta’s virtual reality headsets out there in front of security researchers and hackers, achieving this with Meta BountyCon, a security conferenced focused around bug bounties that allows hunters to get hands-on with products.

The most recent event saw a focus on emerging threats in the VR space, something Oren describes as an intentional move towards “the goal of making the entire industry safer”.

Meta has updated its bug bounty terms to highlight that its latest products, Meta Quest Pro and the Meta Quest Touch Pro controllers, are eligible for the bug bounty program, and has added new payout guidelines for VR technology, including bugs specific to Meta Quest Pro.

And for those who find security vulnerabilities in Meta’s virtual reality and metaverse technology, there are financial rewards for bug bounties of potentially hundreds of thousands of dollars.

Among other things, the payout guidelines detail how payments for discovering mobile remote code execution bugs — vulnerabilities that could allow an attacker to execute malware or take control of a device — could be up to $300,000, while researchers who uncover account takeover vulnerabilities could be rewarded with up to $130,000.

The financial rewards are high because Meta wants to encourage hardware hackers who may not have looked at the company’s virtual reality offerings before.

“We want to help researchers prioritise their efforts and focus on some of the most impactful areas across our platform,” says Oren.

The bug bounty scheme has already resulted in the disclosure of several previously undiscovered vulnerabilities.

A disclosure submitted at BountyCon found an issue in Meta Quest’s oAuth flow — an open standard used to grant websites or applications access to user’s information on other websites, which could have led to an attacker gaining control of a user’s access token, and control of their account, with just two clicks

“We fixed this issue, and our investigation found no evidence of abuse and we rewarded this report a total of $44,250, which reflects the impact of the vulnerability,” says Oren.

Another researcher was awarded $27,200 after finding a vulnerability that could have allowed an attacker to bypass SMS-based 2FA by exploiting a rate-limiting issue to brute force the verification pin required to confirm someone’s phone number. The vulnerability was also fixed after disclosure.

These vulnerabilities might not have been uncovered — at least not as quickly — without the bug bounty scheme, which is why, for Meta, it’s important to continue to expand it.

“We welcome any contribution from the external community to get as many eyes on the code as possible, continuing to test our products, and make them more secure,” says Oren.

The bug bounty program for the metaverse follows in the footsteps of Meta’s other bug bounty schemes, some of which have been running for a decade — and the company also has a range of information security teams to help ensure that the metaverse and Meta’s other platforms are as secure against cyber threats as possible.

They include security reviews of products, a threat-modelling team, a red team running penetration tests against the company, and more, which is all in addition to the bug bounty program. All of this effort fits together for Meta to ensure that any product released is as secure against as many threats as possible.

“These are all things we’ve learned over the years that we apply when we build new products, so the new products already have all these embedded into them,” says Oren.

After new vulnerabilities, which are disclosed as part of the bug bounty scheme, have been investigated and mitigated, security updates are rolled out to the products. To ensure that the security updates that fix vulnerabilities are applied, Meta’s VR products automatically check for updates at launch and then apply them.

“We are sharing these bugs publicly to make sure everyone in the industry can learn from us. It’s common that once one big company publishes these types of things, other companies will look internally for something similar,” Oren explains.

And because outside researchers aren’t limited to looking at Meta products, if they find something in Meta Quest Pro or another Meta device, they’re also likely to look at similar products built by others.

“We know that our researchers don’t only hunt on Meta. So, if they find a bug with us, they might then go and look for it in our competitors and they will report it to them as well,” says Oren.

“That’s why we think education is so important because the researchers, whatever they learn with us, they’ll implement for other companies while they hunt,” she says.