TL;DR
The Paths model rates this CRITICAL because the Persona avatar is a faithful inference channel: it re-renders the wearer’s exact eye movements, and gaze-typed text — passwords, PINs, emails, messages — can be reconstructed from avatar video alone. The published 5.3 Medium baseline is retained for source review; the Paths drivers are perception leakage and account-authority consequence.
What it is
Vision Pro renders a Persona whose eyes faithfully reproduce the wearer’s real gaze. Because text entry is gaze-driven (you look at each virtual key), researchers (University of Florida · CertiK Skyfall · Texas Tech) showed that from the outward-facing avatar alone — a FaceTime stream or a recording, no device access — a supervised model recovers the saccades and reconstructs the typed input (~86% precision / 97% recall on detecting typing; effective on message, password, email/URL, and PIN entry across 30 participants). Apple fixed it in visionOS 1.3 by suspending Persona’s eyes while the keyboard is active (CVE-2024-40865).
The detail that matters: Apple already sandboxes raw gaze — apps cannot read eye-tracking data. The protection held. The same information left through the avatar, a sanctioned output nobody had labeled as carrying it. Front door guarded; data shipped out the back.
Published baseline — scope note
The vector is AV:N/AC:L/PR:N/UI:N/S:U/**C:L**/I:N/A:N → 5.3. The suppressor is C:L (Low confidentiality, Integrity/Availability None). Two structural bends:
- It scored the channel, not the content. CVSS recorded “some text may leak” as Low disclosure. But the leaked text includes authentication secrets — a recovered password is not low-sensitivity information, it is account authority. FIRST’s confidentiality metric has no way to say “the disclosed data is itself a credential,” so a credential leak and a leaked log line score the same
C.
NVD-CWE-noinfo. NVD could not classify the weakness. There is no CWE for “a faithful representation of the user is an inference channel.” The harm is an inference channel — nothing was accessed or corrupted; a legitimate output was inverted. CVSS’s access / integrity / availability ontology has no axis for “the output is a structure-preserving function of the secret.”
Consequence driver
The Paths model highlights #9 (representation / inference-channel leakage) — the avatar is a faithful, invertible function of gaze, so a secret can leave through a sanctioned output without conventional access — and #3 (authority-leak as a weakness class), because credential reconstruction can confer account authority rather than only low-sensitivity disclosure. Scale-of-reuse #1 and the gaze → keystroke → credential → account chain #2 also apply.
Requirement #9 — the case behind it
The medical triptych derived eight requirements. GAZEploit — the registry’s first AR / inference-channel case — is the case behind the ninth, now part of the spec:
Representation / inference-channel leakage. A system’s externally-observable output can be a structure-preserving function (a homomorphism) of a sensitive internal variable; observing the output and inverting it recovers the secret — with no access, no exploit, no breach. Protecting a secret therefore requires protecting every sufficiently-informative function of it, including its rendered, displayed, or physically actuated outputs — not just the variable itself.
CVSS and CWE have no vocabulary for this; Paths’s Perception axis is the closest existing home, and the requirement is now named explicitly (#9). The principled fix is not Apple’s content-specific gate (which plugs keystrokes but leaves reading, attention, and affect leaking) — it is render from intent, not from biology: synthesize a socially-sufficient avatar that conveys presence without mirroring the exact gaze vector. Mirroring is leakage; synthesis is safe.
Sources