Learn how Cobalt’s Pentest as a Service (PtaaS) model makes you faster, better, and more efficient.

The Rise of VR : Addressing AppSec

Virtual Reality Risks and Solutions

“We must adapt our ways to ensure data security and privacy issues are not left behind because we were too slow to change.” -DevSecOps Manifesto

New technologies inevitably bring along new risks. Virtual Reality (VR) is one of those technologies that is slowly creeping into our daily digital lives, however, not much attention has been paid to the risks it brings along. This year at the Shift AppSec 2019 virtual conference Kavya Pearlman — Co-founder of X — Reality Safety Initiative (XRSI) shared her experience and application security research, as well as work conducted by Dr. Ibrahim (Abe) Baggili and the Cybersecurity Research team at the University of New Haven, Connecticut.

Watch her talk here:

Pearlman shared some novel attacks as well as traditional attacks that were carried out on prominent Social VR applications.

Previously, Pearlman shared her opinion and subject matter expertise on Virtual Worlds and Real risks as well as Virtual Reality : A new frontier of Social Engineering. She is now partnering with Dr. (Abe) Ibrahim Baggili and his students he leading voices in the industry for uncovering these application security Virtual Reality Hacks and cyber attacks. Their work focuses on what can go wrong with VR. The team’s work can be read here:

Pearlman also shared more traditional exploitation techniques that were used recently in hacking the Social VR application, BigScreen VR.


As the industry looks towards mass adoption of Virtual Reality with an expected $40 billion market size and over 200 million active users by the year 2020 (source: Statista via VRFocus), these new cyber attacks have already begun making headlines.

Virtual Reality becoming new target for potential hackers

Kavya Pearlman and Dr. Baggili along with other security researchers, privacy and ethics advocates have started a non-profit Initiative to combat against these risks in emerging technologies like Virtual Reality(VR), Augmented Reality(AR) and Mixed Reality(MR) collectively known as X-Reality (XR).

The newly formed non-profit, XRSI is currently focused on spreading awareness around these risks and potentially implementing solutions and standards across the industry and the globe.

XRSI Vision: Help build safe virtual environments.

XRSI Mission: Inspire and catalyze the safe use of X reality.

For more information on XRSI follow twitter handle @XRSIdotorg.

Author: Kavya Pearlman (@Kavyapearlman) Kavya Pearlman is well known as “The Protector” or “Cyber Guardian” of two virtual world economies, Second Life and the latest social VR platform called Sansar for her work with Linden Lab. She is one of the Top 20 influencer in Cybersecurity for 2018 as voted by IFSEC. Recently Kavya was awarded 40 under 40 Top Business Executives 2019 by San Francisco Business Times, Rising Star of the year 2019 by Women in IT Award Series. For her work and contribution to security industry, Kavya was named minority CISO of the year 2018 by ICMCP. Kavya is an advocate for women and underrepresented communities in security and an inspirational figure for many around the world. Along with few security researchers, Kavya has now started a non-profit effort, XR Safety Initiative to promote privacy, security, and ethics plus develop standards around application security for Virtual Reality, Augmented Reality and Mixed Reality (VR/AR/XR).

Contributor: Ibrahim (Abe) Baggili (@CyberShawerma) Dr. Ibrahim (Abe) Baggili is the Elder Family Endowed Chair of Computer Science & Cybersecurity at the Tagliatela College of Engineering, Department of Computer & Electrical Engineering and Computer Science at the University of New Haven, CT, specializing in Cybersecurity & Forensics. He serves as the Assistant Dean and is the founder of the University of New Haven’s Cyber Forensics Research and Education Group ( UNHcFREG ). Abe is also the former editor-in-chief of the Journal of Digital Forensics, Security and Law (JDFSL). He received his BSc, MSc and PhD from Purdue University where he worked as a researcher in CERIAS. Abe co-authored over 70 publications including books, peer reviewed articles, and conference papers and has received funding for his work from a variety of sources including the NSF, NSA, DHS and MITRE. Most recently, work with his students showed security issues in mobile social messaging applications that affect over 1 billion people worldwide they also found major Virtual Reality exploits that affect people globally.


Back to Blog
About Cobalt
Cobalt provides a Pentest as a Service (PtaaS) platform that is modernizing the traditional, static penetration testing model by providing streamlined processes, developer integrations, and on-demand pentesters. Our blog is where we provide industry best practices, showcase some of our top-tier talent, and share information that's of interest to the cybersecurity community. More By Cobalt