
Magic Leap allows any app to track user's eyes without asking permission - upwardbound
I&#x27;ve recently discovered that the Magic Leap app allows any app to track user&#x27;s eyes without asking permission.  This can be used for a wide variety of malicious purposes such as determining the user&#x27;s sexual orientation for blackmail purposes (see https:&#x2F;&#x2F;www.vice.com&#x2F;en_us&#x2F;article&#x2F;bj9ygv&#x2F;the-eyes-are-the-prize-eye-tracking-technology-is-advertisings-holy-grail ).<p>I submitted a responsible disclosure to Magic Leap through BugCloud but was told that this does not qualify as a vulnerability, so I would like to warn people directly to NOT trust any Magic Leap app, and to please try to petition Magic Leap to make eye tracking require asking permission, rather than being automatically granted.
======
arosenbaum
Asking permission for eye tracking in a Magic Leap app is like asking
permission to read screen touches in a mobile app...It's not an enhancement to
the experience, it's fundamental to the platform - they need to do eye
tracking to render AFAIK...

~~~
upwardbound
What they should do is make the APP ask permission to get the eye tracking
data. The system can get the data without passing it to the app.

------
verdverm
Isn't eye tracking going to be core to a great AR experience?

~~~
kian
Many apps would have a poor experience if the user didn't grant them the
permissions they were requesting. Can't it be both core to a great AR
experience and something you should ask permission for?

