Apple Was Apparently Notified About Major FaceTime Eavesdropping Bug Over a Week Ago [Updated]

[Kabeyun]

This is not the first time Apple has shown they don't give a damn about user report of security bugs. Log in Password in from last year, and numerous others.

Sad state of Apple.

Good Lord. You think just a week for Apple to log, verify, review, and address a bug is a sign that they don’t give a damn? That it’s a sad state of Apple?

I think that’s a sad state of expectations. Please enlighten us as to what Apple-sized company regularly does better.

 

[Tech198]

"She also wanted to keep the bug private, but she did tweet Fox News about it." riiiigghhhtt

Well, how else can you force a company to fix it ? I don't think keeping it private would do anything 'good'' Any more will believe everything is ok.

I guess a tweet is not considered private if everyone else can read it too.

Good Lord. You think just a week for Apple to log, verify, review, and address a bug is a sign that they don’t give a damn?

I think that’s a sad state of expectations. Please enlighten us as to what company Apple size regularly does better.

But the more sensitivity the bug, the bigger/immediate attention it should get right? Apple still 'needs' to confirm it exists. Didn't they also say "it was not viable in the screenshot" ? That sounds more like they wouldn't action it, but then how can you provide "a third person", while still maintain your privacy ? impossible i say

Unless you did it to three of your friends.

 

[pat500000]

You obviously don't work in software development. Let me give you a play by play of what generally happens in this kind of situation.

1. Someone first has to see the bug. Tweeting/Facebook/etc means nothing. Social media accounts aren't monitored 24/7 and even so, with thousands of people tweeting/facebook messaging/etc, there's a good chance what was sent on there doesn't get seen. The bug reporting system is truly the only way to ensure it gets through, and again, it depends when someone sees it.

2. The bug needs to be reproduced. Without reproduction it can't be fixed. This looks very easy to reproduce so this step likely went quickly.

3. Developers get dispatched to the bug (or since FaceTime is very complex, likely a team) who figures out what is causing the bug. This isn't instant, this can take a very long time to figure out. Reading code isn't like reading a word document and bugs, especially ones involving networking calls can be very tricky to figure out.

4. Once the cause is defined then the scope/impact of fixing it needs addressed. Does the bug ONLY affect Group FaceTime? Does it affect other things? Is it something a patch (which needs developed and tested) can fix? This kind of thing isn't instant either and can take a lot of time to figure out.

5. Once all of the above is figured out then a plan of action is implemented. In this case, Apple decided they need more time to fix the bug and took Group FaceTime down immediately.

You and others need to stop with the silly conspiracy theories already. Educate yourself on how such a thing happens and realize that fixes aren't usually instant.

Who cares. If anything werid is going on...you immediately halt it. For example: tim cook is using your bank account..and noticed 999 dollars were missing. You gotta call bank to freeze the account and investigate. This happened a week ago! You’re going to tell me that tim cook has to reproduce the situation by draining your bank account to confirm this?
Since bug reporting is the way go...they should be on any bugs asap.

 

[laptech]

There is a huge amount of Apple defenders in this thread who could work for a countries military as propaganda agents because Apple has screwed up badly on this one but yet the Apple defenders are coming out in force to try and discredit the person who originally reported the bug. They are doing everything they can to find fault with the person to basically protect Apple.

Now we can see why Apple behave the way they do with pricing when they know they have people who are prepared to defend them to the hilt, even when the company is clearly in the wrong.

 

[MadeTheSwitch]

Yeah, this just adds to my thesis that someone should lose their job over this.

Apple likely "knew" about it and was working on a fix, but didn't sound alarm bells because that's the worst thing you can do if the fix isn't implemented. Actually, it's still something you wouldn't want to publicize. Tough position.

I don’t think it was a tough position at all. Apple was trying to have it both ways here. Fix the bug, but allow things to continue on as normal so they did not receive bad press. They were totally hoping this would fly under the radar as I am sure things do all the time. So instead of disabling group FaceTime like they should have, they just pretended nothing was wrong. That is pretty messed up and ended up making them do what they should have done anyway, only with even worse press. Not a very good move on their part.

 

[C DM]

There is a huge amount of Apple defenders in this thread who could work for a countries military as propaganda agents because Apple has screwed up badly on this one but yet the Apple defenders are coming out in force to try and discredit the person who originally reported the bug. They are doing everything they can to find fault with the person to basically protect Apple.

Now we can see why Apple behave the way they do with pricing when they know they have people who are prepared to defend them to the hilt, even when the company is clearly in the wrong.

It works just as well the other way around. However reality is much more nuanced that that and just because someone isn't on one extreme doesn't mean they are then automatically on the other opposite one.

 

[laptech]

It works just as well the other way around. However reality is much more nuanced that that and just because someone isn't on one extreme doesn't mean they are then automatically on the other opposite one.

M.R is the one making the thread and highlighting the issue which shows Apple to be in a negative light. Therefore what you write is irrelevant.

 

[C DM]

M.R is the one making the thread and highlighting the issue which shows Apple to be in a negative light. Therefore what you write is irrelevant.

Not sure what that has to do with what I commented on.

 

[AppleHaterLover]

There is a huge amount of Apple defenders in this thread who could work for a countries military as propaganda agents because Apple has screwed up badly on this one but yet the Apple defenders are coming out in force to try and discredit the person who originally reported the bug. They are doing everything they can to find fault with the person to basically protect Apple.

Now we can see why Apple behave the way they do with pricing when they know they have people who are prepared to defend them to the hilt, even when the company is clearly in the wrong.

Do you honestly believe that Apple should immediately shut down their services as soon as any third-party reports anything? Do you know how many people are trying to contact Apple at any given time?

Glad you're not running anything.

 

[simonmet]

Asking for money + going to FOX "news" = zero credibility

Why? Apple has a bounty program in place for a reason. She’s entitled to apply for it and a bug of this severity is definitely worth a reward imo.

 

[bozzykid]

No I’m saying I’m skeptical about the current narrative that she alerted Apple and the company did nothing about it for over a week and only responded when it blew up on social media/rumor sites.

We know that is likely what happened since Apple didn't disable group Facetime until after the news reports.

 

[I7guy]

There is a huge amount of Apple defenders in this thread who could work for a countries military as propaganda agents because Apple has screwed up badly on this one but yet the Apple defenders are coming out in force to try and discredit the person who originally reported the bug. They are doing everything they can to find fault with the person to basically protect Apple.

Now we can see why Apple behave the way they do with pricing when they know they have people who are prepared to defend them to the hilt, even when the company is clearly in the wrong.

You don’t know who reported this bug. You only know one person who tweeted they reported it. No knowledge of who was first.

That aside there are defenders, bashers and everyone in between.

In your eyes Apple is in the wrong, to others they responded appropriately. It’s not an all or nothing event based on ones conformational biases.

 

[C DM]

Why? Apple has a bounty program in place for a reason. She’s entitled to apply for it and a bug of this severity is definitely worth a reward imo.

What exactly is Apple's bounty program? Last I heard is that it was fairly limited and fairly specific/targeted and that only particular vetted/approved researchers are essentially part of it.

 

[Kabeyun]

But the more sensitivity the bug, the bigger/immediate attention it should get right?

A week is impressively prompt for any tech company, especially for one the size of Apple. You won’t see much quicker. A lower sensitivity bug would get addressed in weeks by a security update or months by an x.x.1 system software update.

 

[Marekul]

What exactly is Apple's bounty program? Last I heard is that it was fairly limited and fairly specific/targeted and that only particular vetted/approved researchers are essentially part of it.

Yeah which is sure not helping, having one of the worst bug bounty program in Silicon Valley

 

[Plutonius]

Again if you guys look "For the protection of our customers, Apple generally does not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are available."

They don't just mention stuff until its confirmed and steps are taken. If they announce it before hand more people can exploit the bug. The less people that know how the bug works the less people that can use it to harm.

In this case though, Apple should have immediately disabled group FaceTime. They didn't need to specify why (looking into issues).

 

[12vElectronics]

I'm interested to hear which OS and device maker you will be switching to?

I'm not.

 

[dspdoc]

When is Apple gonna get their QC **** together? It’s one issue after another lately. Always putting fires out. What are they doing? SMH

 

[Plutonius]

Good Lord. You think just a week for Apple to log, verify, review, and address a bug is a sign that they don’t give a damn? That it’s a sad state of Apple?

I think that’s a sad state of expectations. Please enlighten us as to what Apple-sized company regularly does better.

It's a sad state because Apple should have disabled group FaceTime while addressing the bug.

 

[Baymowe335]

I don’t think it was a tough position at all. Apple was trying to have it both ways here. Fix the bug, but allow things to continue on as normal so they did not receive bad press. They were totally hoping this would fly under the radar as I am sure things do all the time. So instead of disabling group FaceTime like they should have, they just pretended nothing was wrong. That is pretty messed up and ended up making them do what they should have done anyway, only with even worse press. Not a very good move on their part.

I don’t disagree with either approach. Apple has to protect their business and they did what they thought was best, which I disagree with in many ways. I think someone should be fired for this.

However, given that the situation was serious, I can understand them trying to keep it under wraps. Let’s be real...it’s been like this for a while, so it’s business as usual unless the “hack” gets press.

 

[MarkB786]

More same-o conjecture; ie making stuff up.

The facts align. Although I understand how the fan fog that Apple has successfully trapped you in makes it hard for you to see that. Let's see how Apple manages the lawsuit. That will tell lots.

Don't worry, I can empathize. I used to be stuck in that same fog.

 

[citysnaps]

The facts align. Although I understand how the fan fog that Apple has successfully trapped you in makes it hard for you to see that. Let's see how Apple manages the lawsuit. That will tell lots.

Don't worry, I can empathize. I used to be stuck in that same fog.

Oh stop it - that's so juvenile and a sign you're out of gas. If you want to make stuff up, that's fine. Just don't pretend it's the truth.

 

[Fowl]

Does ANYONE understand how software development in a multi-billion dollar company works? Gee, I wonder why she couldn't just call Tim directly and he could have issued a fix the next day. It could take a week just to get the "bug report" to the right desk. Can you imagine how many of these messages, 99.9% of which are bogus, are sent to Apple every day? Did she actually file a radar report, which is the official way of submitting a bug report? Once the right person sees the report and checks it out and decides it's legitimate, then they have to get that to the software folks who need to be convinced to drop everything they are doing and create a special release version. Of course someone has to figure out the best way to fix the bug. Hopefully no key person decided to take a day off and go skiing. Oh, don't forget about testing once the fix is in.

Gosh, she waited a week after sending a tweet and an email (which asked for money) and nothing happened. Maybe she should just try to call the President and have him do something about it the next day.

From my experience, bugs can be filed on radar but never be looked at for years. It's true now, and it was true thirty years ago, when Apple was much smaller.

Sure they get a lot of bug reports. That means they should scale their qa team along with the rest of the company, to avoid this kind of disaster.

 

[Ethosik]

I think that the poster meant that Apple was intentionally not addressing the user security by not immediately shutting down the group FaceTime (i.e. they chose to leave group FaceTime enabled even though they knew it compromised user security).

I have seen this argument so many times. Why would they do this?

Scenario:
Person A: Group Facetime has a serious security flaw
Apple: LETS SHUT IT DOWN WITHOUT VERIFYING FIRST!!!!!

You do not just blindly shut services down if something is reported. You investigate the issue and if it is not possible to hotfix, then you shut it down. Plus, this might not have been directly related to group facetime. It could have been just one of the ways that caused the bug to appear.

 

[steve123]

Apple does not pay enough attention to problems with their products. Their own discussion forum says that no one from Apple reads it.