Oculus Quest SideQuest App Fixed Critical Remote Code Execution Flaw

CVECVE-2024-21625
CVSScvssV3_1: 8.8
SourceCVE-2024-21625

The popular Oculus Quest app SideQuest, which allows users to access additional VR applications, fixed a serious vulnerability in a recent update.

Prior to version 0.10.35, the SideQuest desktop application did not properly sanitize deep links using a custom “sidequest://” protocol. This allowed a malicious actor to potentially execute arbitrary code on a user’s device remotely with just a single click from within the app.

Deep links are a technique used by many applications to open specific pages or trigger actions by clicking a URL. However, if not implemented securely, they can be exploited to run malicious payloads. In this case, a hacker could have crafted a link to automatically install malware or steal sensitive information when clicked by an unsuspecting SideQuest user.

Thankfully, the developers were aware of this issue and released an update quickly. Version 0.10.35 now properly parses and sanitizes any custom protocol links to prevent remote code execution.

If you use SideQuest, be sure to update to the latest version immediately for protection. Also, only open links from trusted sources and be wary of any that seem suspicious or don’t match the context of your browsing. Staying on top of application updates is one of the best ways to keep your VR experience secure.

References