Fixed a Vision Pro bug; websites can no longer fill your room with bats

Fixed a Vision Pro bug;  websites can no longer fill your room with bats

Apple has fixed a bug in Vision Pro that would have allowed a website to fill your room with an unlimited number of virtual 3D objects. These objects – flying bats in the proof of concept – would persist even after leaving Safari.

The bug was discovered by a cybersecurity researcher who says Apple took great care to protect against this type of exploit, but it forgot one thing…

Apple has protections against this

Ryan Pickren says Apple has specific protection against this in Vision Pro apps.

One of the main areas where Apple is rightly protective is protecting who and what is allowed into your personal space in Vision Pro. Wouldn’t it be terrible if a malicious app could scare you by making objects appear behind you? Fortunately, by default, native apps are limited to one “Shared space» context, where they act predictably and can be easily shut down.

If an application wants a more immersive experience, it must receive explicit permission from the user via an OS-level prompt that places it in a trusted location.Full space” context.

Websites can use experimental features to achieve the same thing, but Apple has extended the Full Space model to apply to websites as well.

But the company forgot one thing

But Apple forgot about an AR feature developed in 2018. It’s still present in WebKit today, and that includes the Vision Pro version.

There’s an old standard for web-based 3D model viewing that the visionOS team seems to have forgotten about: Apple AR Kit Quick Look! In 2018, when Apple started getting into AR/VR/XR, they developed a new HTML-based method in iOS for rendering Pixar 3D files called In-Place USDZ Viewing (…)

After some quick testing, I noticed that this standard is still alive and well in WebKit (including the visionOS version), and even supports the most modern ones.reality“A file type created by Apple’s Reality Composer. In fact, we can even add Spatial Audio to make it seem like the sound is coming from the object itself. Best of all, these features work by default, so that the victim does not need to enable sophisticated experimental features.

And here’s the fun part: Safari doesn’t enforce any type of permission model on this feature. Furthermore, it is not even necessary for this anchor tag to have been “clicked” by the human. So a programmatic JavaScript click (i.e. document.querySelector(‘a’).click()) works without problem! This means we can throw an arbitrary number of 3D, animated, sound-creating objects. without any user interaction.

If the victim comes views our website in Vision Pro, we can instantly fill their room with hundreds of crawling spiders and screaming bats! Funny things.

All a user has to do is simply visit a website, and seconds later…

Now fixed

Apple paid Pickren an undisclosed bug bounty for identifying the vulnerability, and it is now fixed.

Main image: Todd Cravens on Unsplash. Bat gif: Ryan Pickren.

FTC: We use automatic, revenue-generating affiliate links. More.