Apple Was Apparently Notified About Major FaceTime Eavesdropping Bug Over a Week Ago [Updated]

[Ethosik]

But knowing about it and doing nothing until being called out is the real issue here. Think recent slow-down scandal that they finally fessed up to only after getting busted. There is a pattern of bad behavior here. Apple clearly thinks its user base is stupid and gullible.

Again, why would they just blindly disable group Facetime without any research? The group facetime issue could have just been one of the ways to make this bug appear.

If they blindly disabled this feature without any research first, can you imagine how bad that would be?

"Group Facetime has a serious security flaw. Do X, Y Z and this happens"
*Apple disables group Facetime before researching....nothing found. Re-enabled group Facetime.

"Group Facetime has a serious security flaw. Do X, Y Z and this happens"
*Apple disables group Facetime before researching....nothing found. Re-enabled group Facetime.

"Group Facetime has a serious security flaw. Do X, Y Z and this happens"
*Apple disables group Facetime before researching....nothing found. Re-enabled group Facetime.

And so on and so on.​

[doublepost=1548826246][/doublepost]

You obviously don't work in software development. Let me give you a play by play of what generally happens in this kind of situation.

1. Someone first has to see the bug. Tweeting/Facebook/etc means nothing. Social media accounts aren't monitored 24/7 and even so, with thousands of people tweeting/facebook messaging/etc, there's a good chance what was sent on there doesn't get seen. The bug reporting system is truly the only way to ensure it gets through, and again, it depends when someone sees it.

2. The bug needs to be reproduced. Without reproduction it can't be fixed. This looks very easy to reproduce so this step likely went quickly.

3. Developers get dispatched to the bug (or since FaceTime is very complex, likely a team) who figures out what is causing the bug. This isn't instant, this can take a very long time to figure out. Reading code isn't like reading a word document and bugs, especially ones involving networking calls can be very tricky to figure out.

4. Once the cause is defined then the scope/impact of fixing it needs addressed. Does the bug ONLY affect Group FaceTime? Does it affect other things? Is it something a patch (which needs developed and tested) can fix? This kind of thing isn't instant either and can take a lot of time to figure out.

5. Once all of the above is figured out then a plan of action is implemented. In this case, Apple decided they need more time to fix the bug and took Group FaceTime down immediately.

You and others need to stop with the silly conspiracy theories already. Educate yourself on how such a thing happens and realize that fixes aren't usually instant.

Exactly 100%. Can you imagine the consequence if it was not group facetime that was the root cause and they disabled it before even researching the issue? Are people wanting Apple to panic like if we yell Fire or Bomb in a public place by immediately shutting services down without ANY research and plan?

I could see the Class Action lawsuits and headlines now.

"Apple has a serious issue with their bug response team by simply disabling services based on stranger's words without any research into the issue"

 

[cmaier]

iOS, so impressive a 14 year can find a major flaw. Tonight at 11, a 5 year old finds another flaw in iOS.

Not sure what your point is, but since you didn’t find the flaw yourself I think what you just did is what the Internet calls a “self own.”

 

[Ethosik]

I do.

If Apple is staunch an advocate for privacy as they claim, FaceTime is taken offline as soon as this is replicated.

Ugh this is also thrown out for this issue SO MANY TIMES. There is a difference between security by design and a bug. Can people not really understand this? This is a BUG. Apple did not design this to get your data out. How many hackers or NSA/FBI are calling you through Facetime to get your critical data? 99% of the time, you won't be speaking about national security, or having a good time with your wife, or speaking about your health issues, or saying your social security number out loud or whatever "privacy" concerns you have during a Facetime call.

This is the least most inefficient way of breaking privacy. Most of the time things will be silent or the user will hear "Not this guy again" or something similar.
[doublepost=1548827108][/doublepost]

If iCloud is breached, it will likely be caught by Apple’s Cyber team and acted upon immediately. There is a giant difference between a breach and a software bug being reported through a ticketing system.

Exactly. Things are prioritized by severity. Like I mentioned in my previous post. The only "privacy" issue with this is if you are saying your social security number as soon as the Facetime call wants your approval. Or speaking about National Security or spending "quality" time with your wife. This is completely different that hacking storage servers. How many times do Hackers or NSA/FBI initiate Facetime calls with you to get your "private" data? I think you need better friends of stop speaking to your family if you are this concerned about what you say for the 1+ minute (longer? shorter?) while the Facetime is waiting for approval. Or just disable this feature and you have nothing to worry about.

I haven't received a Facetime call in weeks. People are acting like this is SO WIDESPREAD and people's information is compromised by this like they already had their identity stolen.

 

[Ethosik]

None of this is relevant.

Any half decent company would have taken this evidence and immediately raised at LEAST a P1 if not higher ticket. It's absolutely inexcusable for a security incident this serious to not at least have been triage'd to a very high priority.

Depending on the level of priority categories they have, I wouldn't classify this as a Priority 1. Those are usually isolated to more of a privacy breach like iCloud breach due to a bug found on the login screen that allows any user to log in to anybody's iCloud account and view their data.
[doublepost=1548827820][/doublepost]Another possible explanation as to why they disabled Group Facetime now instead of last week: Apple probably has some very basic logging on Group Facetime calls. It could be very possible that they track things like who was in a group, who initiated it and how long it took. Just some basic meta data. Before this started spreading, maybe they had just a few occurrences of this where the initiated user was also added as a group member. Since this started getting more attention this week, more people were doing this and that is when they decided to shut it down before applying the fix.
[doublepost=1548827983][/doublepost]

You tried to condescend to people and you don't really know what you're talking about.

The bold bit is the funniest. Rely on it daily? Group FaceTime has only been available since October and the same functionality is available widely elsewhere on an iPhone.

I'm not sure how it is any more responsible of Apple to disable Group FaceTime server side this week than it would've been last week either. What has happened to all of these people who's lives are reliant on Group FaceTime this week?

Your describing the situation as a bug shows a lack of understanding of the gravity of the situation, it isn't a missing character in the Emoji keyboard its a full scale security flaw which exposes millions.

People are still making this a much bigger issue than it is. I haven't received a Facetime in a few weeks let alone a Group Facetime. I have never received a random Group Facetime from a hacker or the NSA/FBI. How exactly does this expose "millions"? This isn't like a security flaw on a data server where you have all your Tax documents and can be looked at while you are sleeping.

What are the chances that you are speaking about such a critical health issue, saying your Social Security Number/Bank Account/Whatever, or any number of "privacy" issues when a Facetime call is waiting for approval? If you know someone that has done this to you intentionally - friend of family member, I would seriously have a discussion with them. There are more things going on than this bug if you have people in your life that will exploit this to try to invade your privacy.

This is the absolute worst way of breaching privacy. 99% of the time you will probably hear silence or someone saying "not this guy again" or some white noise.
[doublepost=1548828540][/doublepost]

It's a sad state because Apple should have disabled group FaceTime while addressing the bug.

No you absolutely should not. You should not randomly disable things just because Joe Somebody says if they perform X, Y Z it exposes a security flaw. If they did that, the services would always be offline because they shut them down before or while they are researching the issue. What if it was not group facetime that was the root cause of this bug and they disabled the feature for nothing?

Besides, the people verifying the bugs do not and should not have access to disable this type of feature. That requires a senior staff member and probably requires meetings to discuss if it is absolutely needed to do so.

 

[tennisproha]

Truthfully though....this is a major blunder on Apple's part. I'm sure they get an inordinate amount of bug reports, both major and minor, every day. But when someone puts this on your radar on multiple fronts and it goes completely unanswered it's a sign that the review process if fundamentally flawed.

If this lady reported it on the 21st the Group FaceTime service should have been offline no later than the 22nd and there should have been a press release detailing the issue and the corrective action. Instead it sat there for a week until it blew up in their face.

No way to spin this other than a massive failure by Apple. Hopefully they learn from it and are better for it going forward.

I don’t think is fundamentally flawed. If multiple people reported this bug on different channels, sure you could say that. But one person reporting on multiple channels is called spamming. They actually might even have a filter in place to toss those out.

People are being melodramatic here. It wasn’t a big deal as almost no one knew about it until yesterday and it was disabled server side within hours of the story breaking.

 

[Kabeyun]

It's a sad state because Apple should have disabled group FaceTime while addressing the bug.

And that’s exactly what they’ve done! Do you not know this? Good Lord.

 

[Rogifan]

We know that is likely what happened since Apple didn't disable group Facetime until after the news reports.

No we don’t.

 

[YaBe]

Wow. Apple should have been more transparent about this issue and it should have immediately disabled Group FaceTime. Immediately. For a company that touts privacy and security as its main focus, this is inexcusable.

Just like they should have more upfront with the battery..... when will people learn that company are in for the money?

 

[Gilligan's last elephant]

5. Once all of the above is figured out then a plan of action is implemented. In this case, Apple decided they need more time to fix the bug and took Group FaceTime down immediately.

And step 5 happening with wide media coverage was a coincidence? Most amusing

 

[Gilligan's last elephant]

So did Apple not respond to her or they did but she can’t release their responses because they’re private?

If Apple did respond to her, she shouldn't release those responses without permission.

 

[bozzykid]

If Apple did respond to her, she shouldn't release those responses without permission.

Did she sign a NDA? If so, what did she agree to that would require her to get permission from Apple to release the emails?

 

[Plutonius]

And that’s exactly what they’ve done! Do you not know this? Good Lord.

After over a week.

 

[Kabeyun]

After over a week.

Yes. A whole entire week. To receive, validate, analyze, and determine an action against one of thousands of bug reports to one of the largest tech companies on the planet with an installed user base approaching ¾ of a billion. One week. You seem to know a lot about standard turnaround times in the industry. Please share how many days it should have taken, preferably with some other examples.

 

[laptech]

Yes. A whole entire week. To receive, validate, analyze, and determine an action against one of thousands of bug reports to one of the largest tech companies on the planet with an installed user base approaching ¾ of a billion. One week. You seem to know a lot about standard turnaround times in the industry. Please share how many days it should have taken, preferably with some other examples.

Regarding this 'it took a whole week' issue, i have indirectly worked with software developers/product support within the mobile phone industry (mainly NEC) and i can tell you from personal experience, considering the severity of the bug, a week to take action is way to long.

Any software bugs that need to be reported and dealt with quickly and efficiently must be communicated to the company via official channels (support email and/either support telephone). If using the support phone line, a transcript of the conversation will be written down so it can be assessed more easily. whether by email or phone, the bug will be given a priority level, low, medium or high. The employee(s) tasked with seeing the emails and/or phone transcripts will enter the details on the companies internal support system/database.

The support team should have different levels. These 'levels' determine who deals with low, medium and high level bug reports. High level bug reports are most commonly seen by a senior level support employee and are dealt with within a few hours of them being submitted. This employee with then discuss the bug with his/her immediate manager to determine if the issue should be escalated higher. This manager will then request a meeting with other support managers to discuss and determine if the bug is serious enough to cause widespread problems if further immediate action needs to be taken.

Depending on the time of day the bug was submitted via the official channels, these meetings should take place the next day. The meeting should commence immediately at the start of the work day. If it is concluded that the bug has the potential to cause serious problems/issues for it's customers, a 'threat/security analysis' will take place as to what initial actions needs to take place to prevent or limit the bugs actions. Usually it will the the senior department head who will make the decision to go with what ever has been decided BUT if the recommended action is to put a temporary halt to certain services that could affect EVERY customer, like stopping a server, this would need to be approved at the corporate level.

The PR department will then be informed that they will have press releases to make, ready for when the server is shutdown. Corporate will give the go ahead for the server to be stopped, the senior department head will instruct support team manger to stop the server, whilst also telling the PR department to release the press release.

If a company takes privacy and security of it's customers seriously then such a serious bug should only take 3 days max for the company to take action. Anything more would be seen as a failure.

 

[NMBob]

So there isn’t anything wrong with my TV set? I shouldn’t try to adjust the picture?

That's what the nice man said.

 

[I7guy]

Regarding this 'it took a whole week' issue, i have indirectly worked with software developers/product support within the mobile phone industry (mainly NEC) and i can tell you from personal experience, considering the severity of the bug, a week to take action is way to long.

Any software bugs that need to be reported and dealt with quickly and efficiently must be communicated to the company via official channels (support email and/either support telephone). If using the support phone line, a transcript of the conversation will be written down so it can be assessed more easily. whether by email or phone, the bug will be given a priority level, low, medium or high. The employee(s) tasked with seeing the emails and/or phone transcripts will enter the details on the companies internal support system/database.

The support team should have different levels. These 'levels' determine who deals with low, medium and high level bug reports. High level bug reports are most commonly seen by a senior level support employee and are dealt with within a few hours of them being submitted. This employee with then discuss the bug with his/her immediate manager to determine if the issue should be escalated higher. This manager will then request a meeting with other support managers to discuss and determine if the bug is serious enough to cause widespread problems if further immediate action needs to be taken.

Depending on the time of day the bug was submitted via the official channels, these meetings should take place the next day. The meeting should commence immediately at the start of the work day. If it is concluded that the bug has the potential to cause serious problems/issues for it's customers, a 'threat/security analysis' will take place as to what initial actions needs to take place to prevent or limit the bugs actions. Usually it will the the senior department head who will make the decision to go with what ever has been decided BUT if the recommended action is to put a temporary halt to certain services that could affect EVERY customer, like stopping a server, this would need to be approved at the corporate level.

The PR department will then be informed that they will have press releases to make, ready for when the server is shutdown. Corporate will give the go ahead for the server to be stopped, the senior department head will instruct support team manger to stop the server, whilst also telling the PR department to release the press release.

If a company takes privacy and security of it's customers seriously then such a serious bug should only take 3 days max for the company to take action. Anything more would be seen as a failure.

Perfect theoretical timeline and something to strive for. Things in reality may be different however.

 

[laptech]

Perfect theoretical timeline and something to strive for. Things in reality may be different however.

You think what i typed was 'theoretical'?? What i typed was a system that was in place and being used at NEC hence why i know about it, being a former employee of the company. Maybe others should learn to follow the same.

 

[macfacts]

In this case though, Apple should have immediately disabled group FaceTime. They didn't need to specify why (looking into issues).

Perhaps apple didn't know the exact details cause they didn't want to pay the bug bounty. Apple only knew when the public knew.

 

[NMBob]

Well, there you go. I see where your head's at.

My head has always been in the same place since I bought a Fat Mac as my first Apple computer (not my first computer). It's Apple's that seems to be confusing and trying, or giving the impression of trying, to hide "bad news".

 

[MadeTheSwitch]

Let’s be real...it’s been like this for a while, so it’s business as usual unless the “hack” gets press.

Yeah but that’s wrong. In the meantime they are allowing people’s privacy to be compromised without their knowledge. For a company that crows about privacy, that’s really bad and hypocritical.

 

[Baymowe335]

Yeah but that’s wrong. In the meantime they are allowing people’s privacy to be compromised without their knowledge. For a company that crows about privacy, that’s really bad and hypocritical.

That's why someone needs to be fired and I said that from the beginning.

 

[I7guy]

You think what i typed was 'theoretical'?? What i typed was a system that was in place and being used at NEC hence why i know about it, being a former employee of the company. Maybe others should learn to follow the same.

Each company operates differently is the point, hence the term theoretical. One size shoe doesn’t fit all. I’d be very surprise if any one of the Fortune 500 companies didn’t have a plan in place.

 

[MarkB786]

Oh stop it - that's so juvenile and a sign you're out of gas. If you want to make stuff up, that's fine. Just don't pretend it's the truth.

Apparently I'm not the only one who can see through the fan fog. Love it when I'm right.

"According to Bloomberg, the New York officials will be focusing on Apple's failure to warn consumers about the bug and its slow response. "

 

[citysnaps]

Apparently I'm not the only one who can see through the fan fog. Love it when I'm right.

"According to Bloomberg, the New York officials will be focusing on Apple's failure to warn consumers about the bug and its slow response. "

Yes...I suspect those NY officials have similar qualifications to assess Apple’s written policies on dealing with software security issues reported by the public.


“Love it when I’m right.”

Of course you do, that’s narcissism speaking.

 

[ksec]

Good Lord. You think just a week for Apple to log, verify, review, and address a bug is a sign that they don’t give a damn? That it’s a sad state of Apple?

I think that’s a sad state of expectations. Please enlighten us as to what Apple-sized company regularly does better.

Good Lord, they didn't "address" the bug in a week, that would likely take weeks. They disabled the function entirely. And it is not a Hard to log, verify or review this bug. It was the same as password login that took weeks reporting, before someone has to blow it up to the media and Apple took action. And this isn't the first, second, or third time it has happened. It is a sad state because it isn't a one off. And nothing has been done with regards to Apple security input.

>Please enlighten us as to what Apple-sized company regularly does better.

None, but being best in the sad state of market where Google and Facebook are actively collecting data does not mean Apple in its current form is good enough.