Imagine thousands of spiders and bats surrounding you and you can hear them. This would be a scary and nightmare for anyone. Now, some hackers are creating this fear in the users of Apple’s Vision Pro. Cybersecurity researcher Ryan Pickren has discovered a critical vulnerability in Apple’s Vision Pro headset that allows hackers to fill the users’ virtual environment with swarms of creepy spiders and screaming bats.

In his blog, Pickren revealed that he has pinpointed a bug in Vision Pro’s Safari browser that allows the malicious website to bypass all security warnings. Once exploited, the bug allows the attacker to fill the user’s augmented reality space with a plethora of animated 3D objects—spiders, bats, and other scary entities. To make this attack even more frightening, these virtual crawlers are not just visual; they can also come with sound, increasing the fear even more as they crawl and fly around the user’s real-world environment.

How hackers exploit this bug in Vision Pro

According to Pickren, hackers exploit this vulnerability by tricking users into visiting a compromised website. Once the site is opened in Vision Pro’s Safari browser, the malicious code is activated and floods the user’s space with these nasty bugs. What makes this attack even more serious is that to launch this cyberattack, hackers do not require any user interaction other than visiting the malicious site, making it easy to exploit.

What are the implications of this bug?

At first glance, the issue of virtual insects crawling around may not seem like a big deal. However, it creates two significant problems: psychological distress and practical inconvenience. The sudden appearance of an army of virtual spiders or bats can cause considerable fear and anxiety, especially for those who suffer from phobias. Beyond the psychological terror, users face the additional frustration of having to remove these unwanted virtual entities.

According to Pickren, there is no direct way to remove these pests; users must manually tap each insect in their augmented reality space. Simply closing the Safari browser does not eliminate the problem, but users are forced to play a digital game of pest control.

Apple is fixing this issue

Fortunately, Apple has resolved this issue. Pickren reported the bug in February, and Apple worked to improve the vulnerability, releasing a fix in June. Pickren noted that traditional vulnerability classification systems cannot adequately cover the unique threats posed by spatial computing. The “fill the room with spiders” scenario is not a standard category in existing frameworks, making it harder for security analysts to identify and prioritize such issues.