A cybersecurity researcher and bug hunter named Ryan Pickren claims to have found the "world's first spatial computing hack," allowing malicious actors to fill the offices of their Apple Vision Pro headset-wearing victims with creepy-crawling spiders.
"I found a bug in visionOS Safari that allows a malicious website to bypass all warnings and forcefully fill your room with an arbitrary number of animated 3D objects," Pickren wrote in a blog post. "These objects persist in your space even after you exit Safari."
Fortunately for Vision Pro users, Pickren reported the bug to Apple back in February, and the company fixed it in June, as official documentation on the company's website shows.
Nonetheless, it shows that malicious actors could've easily exploited the browser baked into the headset's VisionOS operating system and sent their victims a wild surprise.
"If the victim just views our website in Vision Pro, we can instantly fill their room with hundreds of crawling spiders and screeching bats!" Pickren wrote. "Freaky stuff."
Pickren came up with a short exploit code that could send animated files through a simple website to the headset without the wearer ever knowing.
"It turns out it was surprisingly easy to find a loophole in the visionOS Spatial Computing permissions model," Pickren wrote.
"This issue was introduced when an old iOS feature was ported to visionOS via the latest WebKit build," Pickren told Futurism in an email, referring to the engine that powers Apple's Safari browser. "The bug doesn’t really exist in iOS, it’s the intersection of the new spatial computing platform and the old feature that creates the privacy/security violation."
The news comes after other hackers found similar exploits that also affect Apple's WebKit. Just one day after the release of reviews for the Vision Pro, Apple released a security patch, citing a vulnerability that "may have been exploited" by hackers already.
A PhD student at MIT also claimed to have hacked the headset in February, with a "kernel exploit" that caused it to crash and reboot.
The latest hack, however, is far more fear-inducing than that. Pickren shared several videos showing spiders "literally crawling out of my malicious website," and spreading out across his desk.
Another clip shows "hundreds of screeching bats" filling his office and circling his head.
Worse yet, to exterminate the unwanted visitors, users would have to manually run "around the room to physically tap each one" as simply "closing Safari does not get rid of them."
It's an equal parts hilarious and terrifying hack that highlights some glaring oversights when it comes to a $3,500 device that takes up your entire field of vision.
However, Pickren has an idea about why the bug flew under the radar until now.
"I think triaging bug reports is really hard and rigid vulnerability classification taxonomies don’t always work," Pickren told Futurism. "You won’t find 'the issue fills the victim’s room full of spiders' in the [Common Vulnerability Scoring System] framework, which understandably makes it difficult for security analysts to quickly classify nuanced issues that exclusively impact entirely new computing platforms."
As for the future of the headset itself, The Information reported this week that Apple is giving up on a next-gen device and is focusing on a cheaper, less ambitious version instead. The tech giant has been struggling with sluggish sales and a drop in interest.
Complicating matters, the company still has plenty of bugs to squash.
"I hope Apple uses this report as an opportunity to more holistically evaluate impact and protect the customer experience," Pickren told Futurism. "I look forward to working with Apple again in the future."
Share This Article