By Apple has resolved a significant vulnerability in its Vision Pro headset. This flaw enabled malicious websites to flood users’ augmented reality space with a deluge of virtual 3D objects, such as bats, spiders, and other frightening entities. A cybersecurity researcher discovered the bug, noting that despite Apple’s implementation of protections against such exploits, a minor oversight rendered the system vulnerable.
Apple’s existing protections against such exploits
In a blog post, cybersecurity researcher Ryan Pickren, who uncovered the bug, explained that Apple has specific safeguards for Vision Pro apps. Pickren stated: “Apple is rightly protective of what and who can enter your personal space in Vision Pro. Imagine how terrible it would be if a malicious app could frighten you by generating objects behind you. Fortunately, native apps are, by default, restricted to a ‘Shared Space’ context where they behave predictably and can be easily closed. If an app seeks a more immersive experience, it must obtain explicit permission from the user through an OS-level prompt that places it in a trusted ‘Full Space’ context.”
However, websites can exploit these experimental features to achieve the same effect. Apple has since extended the Full Space model to apply to websites as well.
Cause of the Bug
- Pickren noted that despite Apple’s existing protections, an older AR feature from 2018 was overlooked. This feature remains active in WebKit, including the Vision Pro build.
- Pickren explained: “An older web-based 3D model viewing standard seems to have been forgotten by the visionOS team – Apple AR Kit Quick Look! In 2018, when Apple first ventured into AR/VR/XR, they developed an HTML-based method in iOS for rendering 3D Pixar files called In-Place USDZ Viewing.
- Through some quick testing, Pickren found that this standard is still functional in WebKit, including the visionOS build, and supports the modern “.reality” filetype created by Apple’s Reality Composer. It even allows for Spatial Audio, making the sound appear to emanate from the object itself. These features work out-of-the-box, requiring no special experimental features to be enabled by the user.
