That Doesn’t Go There: Attacks on Shared State in Multi-User Augmented Reality Applications

We present the first end-to-end attacks on shared state in commercial multi-user augmented reality (AR) systems, including platforms such as Google ARCore and Meta Mapillary. Our attacks demonstrate how adversaries can manipulate shared spatial state to poison holographic content or exfiltrate sensitive data across real-world environments.

This work reveals a previously unexplored attack surface in collaborative AR systems and highlights the security risks that arise when shared spatial state is implicitly trusted. Our findings emphasize the need for robust isolation and validation mechanisms in multi-user XR platforms.