‘Spatial computing’ involves endemic bugs: A flaw in Safari’s WebKit substructure allows attackers to inject unwanted digital elements into a Vision Pro user’s physical environment simply by accessing a website. This could be used to make the headset wearer’s desk and room unexpectedly fill with spiders and bats, as a security researcher has now demonstrated. Apple has fixed the vulnerability with VisionOS 1.2.
Advertisement
3D files capture the environment without any hindrance
Before a VisionOS app can capture or manipulate the physical environment, the user must typically agree first. The barriers are also high in the Safari browser, Developer Ryan Pickren explainswho reported the bug to Apple. VR content and stereoscopic 180/360 degree videos played via WebXR are delivered only after the user has consented. But there were no queries to preview 3D files in the USDZ and .reality formats, Pickren noted. Such 3D models can be easily integrated into a website and started programmatically when called, so that the user does not have to click further.
As a result of his exploit, the headset wearer’s space is instantly filled with hundreds of crawling spiders and screaming bats, and the sound can even be played back. Another problem is that there is no immediate emergency exit other than detaching the headset from your head. Pickren explains that 3D elements run in their own Quick Look preview process, not in Safari. If the frightened user quickly closes the browser, he won’t be able to get rid of the spiders.
New attack scenarios for mixed reality
The security researcher writes that ultimately finding the bug was easy; he simply had to scour old WebKit documentation until he found a “neglected attack surface.” The developer notes that Apple has documented the bug as a denial-of-service attack; if there are a certain number of 3D models, the headset can crash. But he’s more interested in the new attack scenarios that mixed reality makes possible.
(lbs)
