(Credit: PCMag)
A white-hat hacker found an exploit for the Apple Vision Pro that could allow an attacker to spawn 3D animated objects or critters into a victim's environment. All the Vision Pro wearer would have to do is visit a random website via its Safari app.
"I found a bug in visionOS Safari that allows a malicious website to bypass all warnings and forcefully fill your room with an arbitrary number of animated 3D objects," writes Ryan Pickren, founder of BugPoC and former Amazon security engineer.
Pickren discovered the issue, CVE-2024-27812, back in February. But it took Apple four months to fix the exploit and award a bounty to Pickren, who describes the exploit code as "very straightforward." On Thursday, Apple summarized the issue as a Safari WebKit bug that could lead to a denial-of-service attack.
The exploit allows any random number of 3D animated objects set up by the attacker to appear in the physical space around the Vision Pro wearer. The objects can even have spatial audio, so that the sounds of screeching bats or crawling spiders feel even more realistic.
Victims wouldn't have to click on anything on the webpage in order for the objects to spawn. The exploit didn't require any specific experimental features to be switched on, either.
"Because visionOS does not have a Dock or any other Open Apps UI, there is no obvious way to get rid of them besides manually running around the room to physically tap each one," Pickren said of the slew of bugs and bats that filled his room.
Since its release, the Vision Pro has encountered its fair share of bugs and subsequent fixes. Earlier this year, a passcode bug briefly forced buyers of the $3,500 headset to return to Apple stores to get factory resets. The Vision Pro has faced a host of other WebKit bugs, as well. And iPhones aren't immune to WebKit exploits, either. Back in November, Apple said two iOS WebKit bugs were actively exploited and it released a patch.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
