Amid the news of the upcoming budget Vision Pro, and new features coming to VisionOS, Apple has dealt with an existing issue.
Apple’s developer team fixed a scary bug in its augmented reality platform visionOS that allowed malicious websites to fill your Apple Vision Pro headset with hundreds of 3D objects, including bats and spiders, without your permission.
The bug was discovered by security researcher Ryan Pickren, who found a way to bypass all warnings in the Safari browser to render 3D models and accompanying sounds created by a website – seemingly in your physical environment.
Pickren says he disclosed the bug to Apple in February, and itās been patched in visionOS 1.2, which shipped in June. Apple has also awarded Pickren a bug bounty for his efforts.
āThis means that we can launch an arbitrary number of 3D, animated, sound-creating, objects without any user interaction whatsoeverā¦If the victim just views our website in Vision Pro, we can instantly fill their room with hundreds of crawling spiders and screeching bats! Freaky stuff.ā
Ryan Pickren
The exploit took advantage of Appleās older web-based 3D model standard Apple AR Quick Look. And since Quick Look handled the objects, it wasn’t enough to close Safari to make the monsters disappear. The only way to get rid of them was to tap each spider or bat individually.
While Apple has introduced new restrictions to prevent websites and apps from spawning 3D objects at will – including a permissions prompt that asks users if theyād like to allow a 3D model to render – the new protections didnāt cover AR Quick Look, which was designed to let users view 3D objects in the real world without installing a separate app.
