Magic Leap allows any app to track user's eyes without asking permission

13 points by upwardbound ↗ HN
I've recently discovered that the Magic Leap app allows any app to track user's eyes without asking permission. This can be used for a wide variety of malicious purposes such as determining the user's sexual orientation for blackmail purposes (see https://www.vice.com/en_us/article/bj9ygv/the-eyes-are-the-prize-eye-tracking-technology-is-advertisings-holy-grail ).

I submitted a responsible disclosure to Magic Leap through BugCloud but was told that this does not qualify as a vulnerability, so I would like to warn people directly to NOT trust any Magic Leap app, and to please try to petition Magic Leap to make eye tracking require asking permission, rather than being automatically granted.

5 comments

[ 2.6 ms ] story [ 22.3 ms ] thread
Isn't eye tracking going to be core to a great AR experience?
Many apps would have a poor experience if the user didn't grant them the permissions they were requesting. Can't it be both core to a great AR experience and something you should ask permission for?
Asking permission for eye tracking in a Magic Leap app is like asking permission to read screen touches in a mobile app...It's not an enhancement to the experience, it's fundamental to the platform - they need to do eye tracking to render AFAIK...
What they should do is make the APP ask permission to get the eye tracking data. The system can get the data without passing it to the app.