Vision Pro: Horror exploit brings virtual spiders into your own four walls
Manipulated websites are able to manipulate the environment of the headset wearer without their consent. A patch is already available.
Suddenly there are scurrying spiders on the desktop - this could trigger a kernel panic for some users.
(Image: Screencap: Ryan Pickren)
'Spatial computing' contains spatial bugs: A bug in the Safari substructure WebKit allows attackers to inject unwanted digital elements into the physical environment of a Vision Pro user simply by accessing a website. This can be exploited, for example, to flood the desk and room of the headset wearer with spiders and bats, as a security researcher has now demonstrated. Apple has eliminated the vulnerability with visionOS 1.2.
3D files take over the environment unhindered
Before a visionOS app can take over or manipulate the physical environment, the user usually has to agree first. The hurdles are also high in the Safari browser, explains developer Ryan Pickren, who reported the bug to Apple. VR content played via WebXR and stereoscopic 180/360-degree videos are only delivered with the user's consent. However, there was no query for a preview of 3D files in the USDZ and .reality formats, Pickren noted. Such 3D models can be easily integrated into a website and started programmatically when called up, so the user does not have to click any further.
His exploit immediately fills the headset wearer's room with hundreds of crawling spiders and screeching bats, and it is also possible to play sound. Another problem is that there is no immediate emergency exit - apart from ripping the headset off your head. The 3D elements run in a separate Quick Look preview process and not in Safari, explains Pickren. If the frightened user quickly closes the browser, this will not get rid of the spiders.
New attack scenarios for mixed reality
The bug was ultimately easy to find, writes the security researcher, who only had to dig around in older WebKit documentation until he found the "neglected attack surface". Apple has documented the bug as a denial-of-service attack, which could also cause the headset to crash if a certain number of 3D models are used, the developer notes. However, he is more interested in new attack scenarios that are made possible by mixed reality.
(lbe)