Was vulnerability reported 9 days ago and ignored?
A soon-to-be famous teenager discovered a major Apple FaceTime bug in its group chat feature nine days ago, it appears, with Twitter user MGT7500 tagging the official Apple Support account in a January 20 tweet that claims their 14-year-old son discovered the “major security flaw”, but drawing no response.
The bug allows users to hear audio from the person they’re calling – even before they have answered the phone. Knowledge of how to use it spread virally after being picked up by users and then reported on 9to5mac.com. It is believed to have affected any pair of iOS devices running iOS 12.1 or later.
My teen found a major security flaw in Apple’s new iOS. He can listen in to your iPhone/iPad without your approval. I have video. Submitted bug report to @AppleSupport…waiting to hear back to provide details. Scary stuff! #apple #bugreport @foxnews
— MGT7 (@MGT7500) January 21, 2019
Apple was forced to acknowledge the issue on Data Privacy Day.
As Arstechnica explains, to make the bug work iOS users had to:
- Tap on a contact on their iPhone to start a FaceTime call with them.
- Swipe up and tap “Add Person.”
- Instead of adding a new person, enter their own number and add themself as another participant in the Group FaceTime call.
The apparent early identification of the bug sparked a flurry of interest on social media as journalists awaited the story, and also triggered a fresh debate about the utility or otherwise of bug bounty programmes.
“This was yet another vulnerability handling process issue that is *not* solved by having a strong security engineering team and even a bug bounty”, Katie Moussouris, the CEO of Luta Security and a world-renowned expert on vulnerability disclosure programmes emphasised, amid information security industry chatter about the right channel to report vulnerabilities on.
This was yet another vulnerability handling process issue that is *not* solved by having a strong security engineering team & even a bug bounty. Apple has both.
But as a consumer-facing company, they didn't train their consumer-facing channels to route quickly & efficiently.
— Katie Moussouris (@k8em0) January 29, 2019
With Apple having disabled group FaceTime chat functions until the issue is patched, some users had other, older fashioned suggestions to boost smartphone security amid seemingly endless vulnerabilities and user data exploitation issues: introduce hard switches for microphone, camera and GPS.
It seems unlikely to happen anytime soon, but the enterprising manufacturer that gives users back real control might just make a fine profit.