man wearing black virtual reality goggles

OSINT in a Metaverse

The term Metaverse, a collection of immersive 3D worlds with a social element, is constantly in the news, especially now that Meta is also building their own one. Years ago it started with Second Life, but with the popularity of VR headsets, and more computer power, these environments are slowly taking off. Recently I have looked around in the metaverse of Spatial and had to think about the OSINT aspects of it. Because with every new social media platform, there are new venues to be discovered. I don’t know how popular this particular platform is, but it is important to investigate any new sites or apps you encounter if it might become important one day.

The Basics

The metaverse of Spatial, with a collection of featured spaces on the front page

On the front page of Spatial, you will see a collection of featured spaced that you are able to enter. When entering a space you will be presented with a 3D environment, where you are able to walk around and interact with others. It’s possible to talk with others, host NFT art, create a lifelike 3D avatar from a selfie, owners can leave ‘sticky notes’ to visitors, just to name some major features. Most information is visible easily, sometimes it just needs a single mouse click. For instance, it is possible to click on the top part of the screen, and open up some basic information on the space and its visitors.

Viewing visitors of any space within Spatial.io, even when you join as a guest.

One can click on any user and visit their profile page, from that pop-up or even by clicking on a user within the space. These profile pages are hosted on a URL that looks like this:

https://www.spatial.io/@jake

On that page it’s possible for people to leave links to several other social media: Discord, Facebook, Instagram, LinkedIn, Opensea, TikTok and Twitter. An example of such a profile can be seen here:

Viewing a profile of a user on Spatial.io

As can be seen by the list of icons, Jake has filled in a lot of links to all kinds of social media. This makes it possible to link a user from this metaverse to other online accounts. It is also possible to view a larger user profile image by simply opening the image in a new tab. This will present you with an avatar with a size of 800×800 pixels.

Developer Tools

As most people know by now, I am a big fan of looking what else is available under the hood. Not only because it might give me options for scraping large amounts of data in an easy way, but also because sometimes it might contain some information that isn’t visible for regular users. For this metaverse, there are some interesting URLs to investigate, since they contain some interesting information.

Spaces / Rooms

When entering a room, you will see that there is lots of information to be found when looking at URLs that start with https://api.spatial.io/api/v1/rooms. Things to look at within these spaces are the ownerID and the userID, that contain the 24 character unique identifier, and the display name of the owner. It also contains a subscriptionType, that can be empty for a free version, but I have also encountered ‘ENTERPRISE‘ as a value. Within the JSON output, it also shows a list of room admins. They can be seen when clicking on the list of visitors after you enter a room, but the nice thing with Spatial is, that it is also visible from connecting spaces.

Within Spatial it is possible to create so called “portals” to other spaces, and when entering a space you are actually able to see all kinds of information on these connected spaces too. This does include invitations, the owner and admins and more. And you don’t even need an account since you can join as a guest visitor too. And last, but not least, in the JSON output there is also the value createdAt, that contains the exact moment of creation of that space, or a connected space.

Invited Guests

But there is more information presented within the JSON output. For instance, it is possible for an owner to invite people to join a specific space, and this information is even public. When browsing the JSON output of a space, a list of directly invited guests are visible, including the email address used to invite them. As an example, this is a part of the JSON output of a private space someone created and who invited me. I visited the space as an anonymous guest, and didn’t accept the invitation yet, but this information was still visible:

"directlyInvitedGuests": {
  "xxxxxxxxxxxxxxxxxxxxxxxx": {
  "id": "xxxxxxxxxxxxxxxxxxxxxxxx",
  "displayName": "",
  "email": "[email protected]",

When someone is invited, but hasn’t accepted it yet, the status is visible further up in this JSON object. The status that is visible in the JSON object will be shown as:

"accountCompletionStatus": "INVITED"

After accepting the invitation, the invitation information is still visible, but after joining the space, the status will be changed to:

"accountCompletionStatus": "COMPLETE"

Conclusion

With these so called metaverses becoming more popular, there are new OSINT platforms to discover. Each platform will have their own way of retrieving information, and it is a good idea to have a good look “under the hood”, because you never know what interesting information is out there. And when you realise that a lot of these metaverses have the option to trade, sell or show NFT related items, there is also the possibility that some information discovered can lead to other blockchain related Web 3.0 content.

To summarise this, wherever you are, always make sure you stay OSINT Curious!

Leave a Reply