Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
64,408
32,218



Apple appears to have disabled Group FaceTime on its server side as a temporary workaround for a major bug discovered today that allowed anyone who places a FaceTime call to listen to audio from the recipient without them answering the call. The bug even extended to video in some circumstances.

facetimebug-800x450.jpg

As spotted by Mark Gurman, Apple's system status page now says "Group FaceTime is temporarily unavailable" as of 7:16 p.m. Pacific Time.

Apple killed FaceTime conferencing server side it seems. Right move. pic.twitter.com/H23W2tirgr - Mark Gurman (@markgurman) January 29, 2019

As a result, it is no longer possible to add your personal phone number to a Group FaceTime call, which was the underlying cause of the bug. Multiple editors on our team have confirmed being unable to add a phone number to a FaceTime call. One-on-one FaceTime calls continue to work normally.

Apple has promised to release a software update that permanently addresses the bug "later this week," and given the serious privacy implications, the company likely has engineers working on the update as we speak.

Group FaceTime is limited to iOS 12.1 and later.

Article Link: Apple Disables Group FaceTime as Temporary Workaround to Major Privacy Bug
 

iop

macrumors 6502
Apr 15, 2011
275
227
I've just disabled ft. If this kind of bug was allowed to happen, it's possible there are other hidden bugs. It's better to be safe than sorry. I highly recommend that everyone disable facetime on their apple device at this point.
 

shareef777

Suspended
Jul 26, 2005
2,445
3,276
Chicago, IL
Glad to see they were quick with a mitigation to prevent privacy issues (not sure why they’re calling it a fix/workaround). Hoping they’re just as quick with a fix.

Edit: reading it’ll take a week. If so, that’s pretty shameful. A company of Apple’s size/stature shouldn’t take an entire to fix a known bug that concerns privacy.
 
Last edited:

QCassidy352

macrumors G5
Mar 20, 2003
12,034
6,068
Bay Area
I've just disabled ft. If this kind of bug was allowed to happen, it's possible there are other hidden bugs. It's better to be safe than sorry. I highly recommend that everyone disable facetime on their apple device at this point.
Yeah... I'll pass, thanks. Nobody who FaceTimes me is going to try to spy on me, and if they did, I'd see it because it's not like someone can FT you without you knowing about it.

That said, it's still a good move to take down Group FT until a fix can be issued because the negative publicity from this is already out of control, and Apple is wise to cut it off now.
 

shareef777

Suspended
Jul 26, 2005
2,445
3,276
Chicago, IL
Yeah... I'll pass, thanks. Nobody who FaceTimes me is going to try to spy on me, and if they did, I'd see it because it's not like someone can FT you without you knowing about it.

That said, it's still a good move to take down Group FT until a fix can be issued because the negative publicity from this is already out of control, and Apple is wise to cut it off now.

But they CAN FT you without your knowledge with this bug. All it takes is a couple sec of you missing an incoming call and then it could be listening without your consent.
 

curmudgeonette

macrumors 6502a
Jan 28, 2016
586
496
California
Apple appears to have disabled Group FaceTime on its server side as a temporary workaround

As I feared, Apple may be relying too much on server side security. This may be fine in a walled garden, but unacceptable out in the wild. Each client device needs to assume the worst and perform its own full security.

Wonder how long until someone reverse engineers the FaceTime protocol and uses it to directly attack targets? Suspect that such an attack could nearly instantly advance the connection to getting a video snapshot. It could then terminate, wait a few seconds, and then repeat. The result would be stop-action video, but the victim wouldn't notice a continuing connection. All they'd see is that they missed a FaceTime request.
 
  • Like
Reactions: miniyou64 and z4co

Baymowe335

Suspended
Oct 6, 2017
6,640
12,451
I've just disabled ft. If this kind of bug was allowed to happen, it's possible there are other hidden bugs. It's better to be safe than sorry. I highly recommend that everyone disable facetime on their apple device at this point.
Lol, what are your qualifications to “recommend” that?

This stuff actually has a silver lining. It wakes up people that need to make sure this crap doesn’t happen. Bad look for Apple and I’m a big Apple defender. This isn’t fix and move on. Someone needs to be fired for it.
 

I7guy

macrumors Nehalem
Nov 30, 2013
34,453
24,252
Gotta be in it to win it
As I feared, Apple may be relying too much on server side security. This may be fine in a walled garden, but unacceptable out in the wild. Each client device needs to assume the worst and perform its own full security.

Wonder how long until someone reverse engineers the FaceTime protocol and uses it to directly attack targets? Suspect that such an attack could nearly instantly advance the connection to getting a video snapshot. It could then terminate, wait a few seconds, and then repeat. The result would be stop-action video, but the victim wouldn't notice a continuing connection. All they'd see is that they missed a FaceTime request.
For all we know, Apple with this fix, may be beefing up facetime security.
 

az431

Suspended
Sep 13, 2008
2,131
6,122
Portland, OR
As I feared, Apple may be relying too much on server side security. This may be fine in a walled garden, but unacceptable out in the wild. Each client device needs to assume the worst and perform its own full security.

Wonder how long until someone reverse engineers the FaceTime protocol and uses it to directly attack targets? Suspect that such an attack could nearly instantly advance the connection to getting a video snapshot. It could then terminate, wait a few seconds, and then repeat. The result would be stop-action video, but the victim wouldn't notice a continuing connection. All they'd see is that they missed a FaceTime request.

This has nothing to do with “server side security.” Apple disabled a service.
 

Krizoitz

macrumors 68000
Apr 26, 2003
1,748
2,100
Tokyo, Japan
Edit: reading it’ll take a week. If so, that’s pretty shameful. A company of Apple’s size/stature shouldn’t take an entire to fix a known bug that concerns privacy.

I’m a software tester, taking a week is incredibly fast. There is nothing shameful about it. You first have to have the engineers identify the appropriate fix, throwing dozens of people at it isn’t going to help only a handful of people are going to have the expertise in the area to address it and your going to want your highest level engineers on it, meaning even fewer. Once they have identified the source of the bug you have to decide on the fix and actually make it. Then it has to be reviewed to try and avoid other bugs. After that you have to take time to test the fix. Testing involves not just this specific scenario but potentially hundreds of other scenarios involving FaceTime and other features that might be impacted. And you have to do that fixing and testing across the entire line of products, macOS and iOS. That’s also going to take time. Even working around the clock shifts there is only so fast you can move. Plus they are probably going to do some extra testing and around FaceTime to try and catch any other bugs like this. Software development, especially of the scale is hard. There is a reason the people who can do it well make a lot of money.

What would be shameful is rushing out a quick fix that solves this problem but possibly introduces other ones. Apple has taken the quickest possible step to protect users and now will fix the bug. They did this 100% the right way so far.
 

GetSwole37

macrumors regular
Jun 23, 2010
168
152
Lol, what are your qualifications to “recommend” that?

This stuff actually has a silver lining. It wakes up people that need to make sure this crap doesn’t happen. Bad look for Apple and I’m a big Apple defender. This isn’t fix and move on. Someone needs to be fired for it.


“Someone needs to be fired”. Lol. Only if they put the code in there for this. It’s a bug!
 

Baymowe335

Suspended
Oct 6, 2017
6,640
12,451
I’m a software tester, taking a week is incredibly fast. There is nothing shameful about it. You first have to have the engineers identify the appropriate fix, throwing dozens of people at it isn’t going to help only a handful of people are going to have the expertise in the area to address it and your going to want your highest level engineers on it, meaning even fewer. Once they have identified the source of the bug you have to decide on the fix and actually make it. Then it has to be reviewed to try and avoid other bugs. After that you have to take time to test the fix. Testing involves not just this specific scenario but potentially hundreds of other scenarios involving FaceTime and other features that might be impacted. And you have to do that fixing and testing across the entire line of products, macOS and iOS. That’s also going to take time. Even working around the clock shifts there is only so fast you can move. Plus they are probably going to do some extra testing and around FaceTime to try and catch any other bugs like this. Software development, especially of the scale is hard. There is a reason the people who can do it well make a lot of money.

What would be shameful is rushing out a quick fix that solves this problem but possibly introduces other ones. Apple has taken the quickest possible step to protect users and now will fix the bug. They did this 100% the right way so far.
Logical post.

I bet there are a few people up late at 1 Infinite Loop tonight though, working on just what you’ve described. Tim Cook is likely not far away either and probably isn’t happy.
[doublepost=1548739046][/doublepost]
“Someone needs to be fired”. Lol. Only if they put the code in there for this. It’s a bug!
Again, huge Apple defender here. Follow my posts. I’m like one of the few that has some logic to my posts here.

I work at a mega corporation and this is the kind of stuff that will get people fired, as it should.

Yes, it’s a bug, but some of them can’t happen. It may be no one’s fault, but that’s too bad. When privacy is a pillar of your company, and I do think Apple is one of the few that actually cares about privacy, this one can’t happen.
 
  • Like
Reactions: paulCC and David G.

TVreporter

macrumors 68000
Mar 11, 2012
1,945
3,194
Near Toronto
The PR machine will be up late tonight too with some great spin lines for Tim to spew tomorrow!

What a PR disaster - let’s hope this was restricted to Group FaceTime and not something that’s been accessible for longer.
 
  • Like
Reactions: apolloa

sfobear

macrumors member
Nov 9, 2011
37
62
San Francisco, CA
I can totally understand why this was missed in testing. You’re placing a call and then you add your own number to the call...it would never occur to me that I could even try to do that, I’m already “using my line.”

This is why I respect QA testers—they have devious minds and spend their days thinking of edge cases like this. :)
 

HiRez

macrumors 603
Jan 6, 2004
6,258
2,591
Western US
Glad to see they were quick with a mitigation to prevent privacy issues (not sure why they’re calling it a fix/workaround).
Exactly, a "workaround" is another way to accomplish the same thing (albeit usually more laboriously). This is just blocking a broken system from being used at all. Which is totally fine and understandable in this case, but please don't call it a "workaround".
 

cmaier

Suspended
Jul 25, 2007
25,405
33,473
California
I can totally understand why this was missed in testing. You’re placing a call and then you add your own number to the call...it would never occur to me that I could even try to do that, I’m already “using my line.”

This is why I respect QA testers—they have devious minds and spend their days thinking of edge cases like this. :)
Adding my own number was one of the first things I tried as a beta tester, because I had no one else to test it with.
 
  • Like
Reactions: z4co
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.