Apple Was Apparently Notified About Major FaceTime Eavesdropping Bug Over a Week Ago [Updated]

[iApplereviews]

It means whoever is in charge of services at apple took over one week to temporarily disable group FT.

Not necessarily. Apple may not have known exactly where the issue was coming from. It could have been a number of things they had to narrow it down to Group FaceTime before they go and start disabling stuff.
[doublepost=1548795205][/doublepost]

It means whoever is in charge of services at apple took over one week to temporarily disable group FT.

The way this was acted upon was inline with the Vulnerability Disclosure Policy "For the protection of our customers, Apple generally does not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are available."

 

[Marekul]

What is the issue with the Touch Bar? The others I agree are issues, but I like the Touch Bar.

I have one and i hate it. It is too bright, no option to dim it or turn it of. Constant flickering is so annoying when switching between apps I had to set it to fixed default keys. Didn’t use fancy cover slider or emoji buttons anyway, using shortcuts without looking at keys.

Now when watching movie I have to first wake up emoji bar with tab then tab again to set brightness - then there is delay and no feedback so i end tabbing around a bit to get it to intended setting.

Now I can continue watching movie but no, emojie bar is still glowing bright. Have to watch a minute of movie with Touch Bar burning holes into my retina cause there is no way to pause movie without waking up Touch Bar.

Would be nice if you could choose but current 15” models feel like a downgrade to even 2011 models in so many aspects it’s sad.

 

[citysnaps]

But knowing about it and doing nothing until being called out is the real issue here.

Doing absolutely nothing... Really.

It sounds like you have inside knowledge of what happened internally at Apple. Do you?

Or...are you positing a scenario that dovetails and aligns with a narrative you hold about Apple in general?

 

[Rob_2811]

No you don't. I'm not going to trade tit for tat with someone who can't even tell the truth.

I will however point out the major flaw in your "logic" should be apparent if you truly did work in software development. Disabling an entire feature people rely on isn't the right answer and is wildly irresponsible because its a feature many people rely on daily. If we disabled major pieces of functionality every time a bug was found instead of isolating the problem you'd never be able to run any software.

FaceTime doesn't have the bug as Apple discovered when they did steps similar to what I outlined in my previous post. Group FaceTime is what has the bug, and once it was identified and seen to be something that couldn't be patched quickly, it was disabled. Again, this kind of thing takes time and research hence why they can't just up and disable something.

You tried to condescend to people and you don't really know what you're talking about.

The bold bit is the funniest. Rely on it daily? Group FaceTime has only been available since October and the same functionality is available widely elsewhere on an iPhone.

I'm not sure how it is any more responsible of Apple to disable Group FaceTime server side this week than it would've been last week either. What has happened to all of these people who's lives are reliant on Group FaceTime this week?

Your describing the situation as a bug shows a lack of understanding of the gravity of the situation, it isn't a missing character in the Emoji keyboard its a full scale security flaw which exposes millions.

 

[iApplereviews]

But knowing about it and doing nothing until being called out is the real issue here. Think recent slow-down scandal that they finally fessed up to only after getting busted. There is a pattern of bad behavior here. Apple clearly thinks its user base is stupid and gullible.

It says in their policy for stuff like this they don't mention it until it's verified. "For the protection of our customers, Apple generally does not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are available."

So explain what they did wrong?

 

[Rogifan]

Arn't Apple's responses to the woman private?

So did Apple not respond to her or they did but she can’t release their responses because they’re private?

 

[iApplereviews]

It may not be a quick fix.

Apple should have immediately disabled group FaceTime and announced they were working on some issues.

Again if you guys look "For the protection of our customers, Apple generally does not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are available."

They don't just mention stuff until its confirmed and steps are taken. If they announce it before hand more people can exploit the bug. The less people that know how the bug works the less people that can use it to harm.

 

[Rogifan]

It says in their policy for stuff like this they don't mention it until it's verified. "For the protection of our customers, Apple generally does not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are available."

So explain what they did wrong?

And the time it took for a public response...what are we comparing that to? Is there some typical or expected time frame a bug like this should be publicly addressed?
[doublepost=1548796596][/doublepost]

Again if you guys look "For the protection of our customers, Apple generally does not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are available."

They don't just mention stuff until its confirmed and steps are taken. If they announce it before hand more people can exploit the bug. The less people that know how the bug works the less people that can use it to harm.

Which is why rumor sites (and even John Gruber) publishing step by step instructions on how to re-create is reckless.

 

[Rob_2811]

Not true at all. Until it’s know what other effects are doing so will cause. You don’t take that step. Also, if you are involved you know that when a serious bug is found, protocols are in place to secretly work on it as long as it is not an active exploit that does not require something unusual to create the condition. Like starting a Group FaceTime call then calling yourself. Had they not decided to promote this on social media it would have been fix without the need for shutting down the entire network.

They haven't needed to shut the entire network down, Group FaceTime has been taken offline, everything else is fine.

Again this is not a normal software bug and It has been discovered by two separate people in the last week and posted online. It isnt something that requires any sophistication at all to take advantage of.

 

[ikramerica]

I have one and i hate it. It is too bright, no option to dim it or turn it of. Constant flickering is so annoying when switching between apps I had to set it to fixed default keys. Didn’t use fancy cover slider or emoji buttons anyway, using shortcuts without looking at keys.

Now when watching movie I have to first wake up emoji bar with tab then tab again to set brightness - then there is delay and no feedback so i end tabbing around a bit to get it to intended setting.

Now I can continue watching movie but no, emojie bar is still glowing bright. Have to watch a minute of movie with Touch Bar burning holes into my retina cause there is no way to pause movie without waking up Touch Bar.

Would be nice if you could choose but current 15” models feel like a downgrade to even 2011 models in so many aspects it’s sad.

Wow. That would annoy me too. I have the last unibody with core I 7. Would keep it forever but eventually Apple will stop supporting it in OS X for no good reason.

 

[iApplereviews]

And the time it took for a public response...what are we comparing that to? Is there some typical or expected time frame a bug like this should be publicly addressed?
[doublepost=1548796596][/doublepost]
Which is why rumor sites (and even John Gruber) publishing step by step instructions on how to re-create is reckless.

Exactly. Like taking your car to the shop the mechanic doesn't magically know the cause and solution to your issue. Telling Apple there is an issue doesn't mean they can instantly know the cause and how to fix it. They can't disable services when they don't know what may cause the issue.

 

[Rogifan]

We know apple knew about it over a week ago and we know there was a big media reporting about it yesterday and then almost right away the feature was disabled. Why did it take over a week to do that?

How do you know that disabling it a week ago was the correct course of action? And if Apple had disabled it they would have had to publicly disclose it otherwise people would try to use group face time and it would fail. I’m assuming Apple disabled it now because of the media frenzy and sites like this publishing instructions on how to re-create it.

 

[LogicalApex]

Asking for money + going to FOX "news" = zero credibility

Butg bounty programs are all about responsible security disclosure. In traditional security circles she would follow the same process. Disclose to Apple privately, collect bounty, and allow a certain number of days to patch. Once patched she would post how to exploit.

She could have instead ignored trying to tell Apple and collect and sold it on the dark web or spread it about immediately.

 

[newyorksole]

Ummmm...It's great having hindsight as to the nature, circumstances, edge case, extent, potential fix, and threat of the bug ahead of time, as you have now. It's so obvious when that information is handed to you.

I guess?
[doublepost=1548797193][/doublepost]

How do you know that disabling it a week ago was the correct course of action? And if Apple had disabled it they would have had to publicly disclose it otherwise people would try to use group face time and it would fail. I’m assuming Apple disabled it now because of the media frenzy and sites like this publishing instructions on how to re-create it.

Things and servers go down all the time. If Group FaceTime stopped working for me or said that it was unavailable then I would assume there was something going on with the server.
[doublepost=1548797263][/doublepost]

Exactly. Like taking your car to the shop the mechanic doesn't magically know the cause and solution to your issue. Telling Apple there is an issue doesn't mean they can instantly know the cause and how to fix it. They can't disable services when they don't know what may cause the issue.

But they were told about the issue and how to initiate it Lol. But I mean, who knows who actually received word about it.

 

[iApplereviews]

I guess?
[doublepost=1548797193][/doublepost]

Things and servers go down all the time. If Group FaceTime stopped working for me or said that it was unavailable then I would assume there was something going on with the server.
[doublepost=1548797263][/doublepost]

But they were told about the issue and how to initiate it Lol. But I mean, who knows who actually received word about it.

Ok and? Taking your car to the dealer and saying turning your headlights on turns the radio off doesn't fix the problem does it? Just like saying if i do so and so on FaceTime that means nothing to solving the issue and properly diagnosing it.

 

[SRLMJ23]

Fixed that for you.

Appreciate it, but obviously I know ALL software has bugs/security flaws.

 

[Rob_2811]

How do you know that disabling it a week ago was the correct course of action? And if Apple had disabled it they would have had to publicly disclose it otherwise people would try to use group face time and it would fail. I’m assuming Apple disabled it now because of the media frenzy and sites like this publishing instructions on how to re-create it.

The 'media frenzy' hasn't just appeared out of nowhere. Two users have discovered this by accident and posted about it online.

It's an easily discoverable issue that crops up when using basic functionality of Group FaceTime. You don't have to be adding your own number, the issue occurs when a third party is added to a call. Thats not really an edge case for a group video chat app.

Video here shows the issue without anybody adding their own number..

https://twitter.com/i/status/1090298850764644352

 

[GuruZac]

What does that mean? You’re going android?

Exactly. Unfortunately to jump ship over to Android is even worse from a consumer privacy and security experience. I like many of Androids phones, but I've remained loyal to Apple because of their stance on privacy. Let's hope this type of bug or lack of responsiveness on Apple's part doesn't become a trend.

 

[mi7chy]

It was reported so close to earnings that you can't blame Apple for taking the quiet stance to avoid media until post earnings to take action.

After all the crocodile tears, Tim Cook will eventually be recognized as the champion of privacy and security, the kid will be charged with hacking intrusion forfeiting any bounty, consumers will fall back to blind trust and Apple products will continue to be the only products on the market without physical audio/video disable switch like the HomePod.

 

[MarkB786]

Doing absolutely nothing... Really.

It sounds like you have inside knowledge of what happened internally at Apple. Do you?

Or...are you positing a scenario that dovetails and aligns with a narrative you hold about Apple in general?

So, the bug is still alive and active until they called on it publicly. If nothing else, they were hoping no one would notice and ended up having to pull the plug on group chat when word got out. They were clearly negligent here, and all your fan hopes and wishes won't change that. Your beloved Apple is crooked and self-serving.

 

[macduke]

This is the turning point for me regarding privacy. Apple has lost my trust.

I'm interested to hear which OS and device maker you will be switching to?

 

[chabig]

wow, give that 14 year old kid the full bug-bounty payout. $200,000 This should be the next part of this news story/ fiasco.

Of course, Apple probably won't because... well, they didn't listen 10 days ago and now they have a PR issue that will cost them millions.

Nah. This won't even cost them hundreds.

 

[cmaier]

This is the turning point for me regarding privacy. Apple has lost my trust.

The problem with that attitude is your only alternatives are to unplug or to switch to an ecosystem designed from the ground-up to invade your privacy. At least apple is trying.

 

[citysnaps]

So, the bug is still alive and active until they called on it publicly. If nothing else, they were hoping no one would notice and ended up having to pull the plug on group chat when word got out. They were clearly negligent here, and all your fan hopes and wishes won't change that. Your beloved Apple is crooked and self-serving.

More same-o conjecture; ie making stuff up.

 

[Packers1958]

iOS, so impressive a 14 year can find a major flaw. Tonight at 11, a 5 year old finds another flaw in iOS.