Apple fixes Vision Pro bug allowing websites to flood user's space with virtual objects

Apple has addressed a significant bug in its Vision Pro system, which previously allowed websites to inundate a user’s environment with countless virtual 3D objects, reported 9To5Mac.

As per the publication, this vulnerability was brought to light by a cybersecurity expert who demonstrated the flaw using flying bats as an example. Notably, these virtual objects would persist in the user’s space even after Safari was closed.

Reportedly, Apple has implemented stringent security measures to control what can enter a user’s personal space within Vision Pro. Typically, native apps operate within a “Shared Space” environment, ensuring predictable behavior and easy closure. For a more immersive experience, apps must obtain explicit user permission through an OS-level prompt, granting them access to a “Full Space” context. This permission model also extends to websites, maintaining a high level of security for the user.

The report adds that Apple overlooked an augmented reality feature introduced in 2018. This feature, part of WebKit and present in the Vision Pro build, involves the AR Kit Quick Look – a method for rendering 3D Pixar files using HTML in iOS. 

This standard supports modern file types like Apple’s .reality format and includes Spatial Audio, enhancing the realism of the 3D objects. These features are enabled by default and do not require user activation of experimental settings.

The critical oversight was that Safari did not enforce any permission model for this feature. Moreover, the feature could be activated through programmatic JavaScript clicking without any user interaction, added the report. 

Consequently, visiting a malicious website could result in the user’s room being filled with numerous animated and sound-producing 3D objects instantly, creating a potentially alarming situation.

The cybersecurity researcher who discovered the vulnerability highlighted this issue, showing how a simple website visit could flood a user’s space with hundreds of spiders or screeching bats. Recognizing the severity of this bug, Apple awarded the researcher an undisclosed amount as a bug bounty and has since resolved the issue, ensuring that Vision Pro users are now protected from such exploits.

 

3.6 Crore Indians visited in a single day choosing us as India’s undisputed platform for General Election Results. Explore the latest updates here!

Catch all the Technology News and Updates on Live Mint.
Download The Mint News App to get Daily Market Updates & Live Business News.

More
Less

Published: 21 Jun 2024, 11:13 PM IST