Amid the news of the upcoming budget Vision Pro, and new features coming to VisionOS, Apple has dealt with an existing issue.
Apple’s developer team fixed a scary bug in its augmented reality platform visionOS that allowed malicious websites to fill your Apple Vision Pro headset with hundreds of 3D objects, including bats and spiders, without your permission.
The bug was discovered by security researcher Ryan Pickren, who found a way to bypass all warnings in the Safari browser to render 3D models and accompanying sounds created by a website – seemingly in your physical environment.
Pickren says he disclosed the bug to Apple in February, and it’s been patched in visionOS 1.2, which shipped in June. Apple has also awarded Pickren a bug bounty for his efforts.
“This means that we can launch an arbitrary number of 3D, animated, sound-creating, objects without any user interaction whatsoever…If the victim just views our website in Vision Pro, we can instantly fill their room with hundreds of crawling spiders and screeching bats! Freaky stuff.”
Ryan Pickren
The exploit took advantage of Apple’s older web-based 3D model standard Apple AR Quick Look. And since Quick Look handled the objects, it wasn’t enough to close Safari to make the monsters disappear. The only way to get rid of them was to tap each spider or bat individually.
While Apple has introduced new restrictions to prevent websites and apps from spawning 3D objects at will – including a permissions prompt that asks users if they’d like to allow a 3D model to render – the new protections didn’t cover AR Quick Look, which was designed to let users view 3D objects in the real world without installing a separate app.