Apple fixes Vision Pro bug allowing websites to flood user's space with virtual objects
vulnerability was brought to light by a cybersecurity expert who demonstrated the flaw using flying bats as an example. Notably, these virtual objects would persist in the user’s space even after Safari was closed.Reportedly, Apple has implemented stringent security measures to control what can enter a user’s personal space within Vision Pro.
Typically, native apps operate within a “Shared Space" environment, ensuring predictable behavior and easy closure. For a more immersive experience, apps must obtain explicit user permission through an OS-level prompt, granting them access to a “Full Space" context.
This permission model also extends to websites, maintaining a high level of security for the user.The report adds that Apple overlooked an augmented reality feature introduced in 2018. This feature, part of WebKit and present in the Vision Pro build, involves the AR Kit Quick Look – a method for rendering 3D Pixar files using HTML in iOS.
This standard supports modern file types like Apple’s .reality format and includes Spatial Audio, enhancing the realism of the 3D objects. These features are enabled by default and do not require user activation of experimental settings.The critical oversight was that Safari did not enforce any permission model for this feature.
Moreover, the feature could be activated through programmatic JavaScript clicking without any user interaction, added the report. Consequently, visiting a malicious website could result in the user’s room being filled with numerous animated and sound-producing 3D objects instantly, creating a potentially alarming situation.The cybersecurity researcher who discovered the vulnerability highlighted this issue, showing how a simple website visit could flood a user’s
. Read more on livemint.com
