Apple Vision Pro gets hacked to fill your room with spiders

Here’s a new “fun” one for the books: hacking into space computing devices to scare a user. Despite Apple’s image of being more secure than competing operating systems, cybersecurity researcher Ryan Pickren discovered a flaw in the Apple Vision Pro. This allowed Pickren to flood a user’s room with hundreds of spiders and bats. Without their consent. I don’t think I need to stress how terrifying this would be, even for someone who doesn’t suffer from arachnophobia. Hundreds of little creatures all over your room and heading towards you? I would just throw my helmet against the wall.

This exploit was possible through the Safari web browser, according to Pickren. The modern WebXR standard requires user consent via a pop-up to work, making such hacking impossible. But Pickren discovered that Apple had forgotten its old quick preview of the HTML-based Apple AR Kit.

The way Apple AR Kit Quick Look works is that a website doesn’t even need user permission to display virtual objects. So, as Pickren quickly discovered during testing, simply visit a website in the VisionPro allowed him to perform his little evil trick.

Hello terrifying mixed reality nightmares.

What makes this even worse is that, due to how Apple AR Kit Quick Look works, closing Safari didn’t get rid of the spiders and bats. Users had to either go around the room tapping each spider and bat to get rid of them, or simply remove the headset.

It’s worth mentioning that Pickren didn’t use this feat to scare anyone. The vulnerability was reported and Apple fixed it. But it was certainly a good reminder of how old and abandoned software can be used to exploit modern technology.

Our Apple Vision Pro review found the headset to be a marvel of modern engineering. However, Apple still needs to find its place in the industry before it can impress more people. Small feats like this are, in my opinion, good lessons on how to improve a product.