Apple's iOS 12.1.4 Update Also Fixes Live Photos Vulnerability, FaceTime Bug Reporter to Receive Bounty and Gift Toward Education

Discussion in ' News Discussion' started by MacRumors, Feb 7, 2019.

  1. Bryan Bowler macrumors 68040

    Sep 27, 2008
    That's pretty cool of Apple (the scholarship). Good on ya!
  2. apolloa macrumors G4

    Oct 21, 2008
    Time, because it rules EVERYTHING!
    I’ve not taken advantage of anything? So you think I’m making money out of this somehow? That Apple cares what I say? And you are belittling the seriousness of the biggest security hole ever to exist in iOS, thankfully the US Senate doesn’t believe they should ‘get a grip’ and have taken this issue rather more seriously, I think that is what Apple will take notice of.

    We don’t, but the battery scandal came to light by the media, the FaceTime bug came to light by the media and Apple ignored its report. It had more then enough time to become widespread on social media, it Apple still ignored it until it was in the media.
    And these screen recording apps have ONLY been targeted by Apple again after the media exposed it, I see a pattern here, not sure about you?
    If Apple wants to portray security and privacy so much, then it should be a hell of a lot more proactive in fixing them.
  3. C DM macrumors Sandy Bridge

    Oct 17, 2011
    So you say that we don't know, but then speak of it all as if we do.
  4. tobybrut macrumors newbie

    Sep 10, 2010
    The battery issue was turned into a scandal of communications, but not of action. If Apple had been smart enough to actually tell people that they were throttling older CPU's to conserve batteries, nobody would think twice about it because it's the proper thing to do. Apple wasn't doing it, as some people incorrectly claimed, to push people to buy new phones by throttling their old ones. They were trying to preserve the batteries as long as possible, something that would prevent people from upgrading their phones. It's highly unlikely people would notice the CPU slowdowns much, if at all, but everyone would notice if their batteries only lasted for a couple of hours.

    We also don't know if Apple ignored the report. A week is a very short time when it comes to how companies process bug reports. I posted on the previous page what usually happens in large companies, and a week would be considered lightning quick for any actions to take place, seeing how many hands that report would have to go through before Apple even determines if it's a bug. Most critical bugs are also fixed quietly, since most bugs are never noticed by customers, but are rather found by QA. If Apple had even had the time to figure out if it was a bug, they would likely have had a fix being readied for testing at the time. Since the bug was due to behavior nobody is likely to ever do (who invites themselves to a conference?), the probable reason QA never found it, Apple likely determined that they didn't need to make it public and could fix it in an emergency patch.

    The vast majority of critical and high priority bugs are fixed and rolled into a large patch, which normally takes months before they're rolled out. I would guess Apple probably was thinking of putting that fix into the next patch that probably wouldn't have gone out for quite a while. The only reason it became any kind of a scandal is because the people who reported the bug decided to go public. I'll leave it up to others to determine if that was the right thing to do. Note that most bugs found are quietly reported to companies in order for them to fix them before anyone is the wiser and cannot exploit the issue. Rarely do people go public until the company is ready to apply a fix.
  5. nihil0 macrumors member

    May 19, 2016
    How about calling the Apple support first and let them help you? When I had a problem with iCloud Photos, they helped me.
  6. Colonel Blimp macrumors member

    Colonel Blimp

    Dec 1, 2016
    You might be right, but I hope not. QA’s job is to try to think up all the unexpected and twisted ways that users come up with to break software. Trying to add my own telephone number to a group call is just the sort of thing I would have tried if I were testing Group FaceTime. (I remember dialing my own telephone number as a kid just to see what would happen.)
    If Apple knew about the bug, someone there must surely have realized the fallout that would inevitably result from even one person outside Apple finding the bug and publicizing it.

    I think it more likely that the responsible managers at Apple did not know about the Group FaceTime bug until shortly before they disabled it on Apple’s servers, that the failure to catch the bug in the first place was due to a shortage of good ad hoc software testers (who are much harder to find than most folks imagine), and that the failure to escalate it to the responsible managers with the urgency it deserved after it was first reported was due to a shortage of competent people doing bug triage.

    Everything else you wrote is spot on.
  7. Nick05 macrumors member


    Aug 5, 2011
    I would like to agree with you, while I do agree that should be the job, from my experience, most QA teams are testing a predetermined script for the desired result not trying to break things. Example, I enter correct credentials, allows logon. I enter incorrect credentials denies logon. Fail to test, enter SQL injection, get returned list of userIDs.
    --- Post Merged, Feb 8, 2019 ---
    These things all take time. You cannot just disable things without testing the impact. It’s not like every time a bug is reported in the system that a team of people are on it, testing, reproducing it, resolving it. They sit in a queue, are evaluated by someone who determines the priority, escalates up the chain, and management makes a priority call. If there could be potential legal repercussions, data may have to be preserved for evidence in court. If this data could be considered tampered with in anyway, it is thrown out and possibly making a lawsuit much worse.

    It’s not right to bash the kid in anyway. A lot of bugs are found accidentally and he brought it to the attention of his mom and they were persistent about reporting it. We should all be thankful for that. He did the right thing. Though it may not have been the right thing to go public with at the time.
  8. brianjones74 macrumors newbie

    Nov 13, 2006
    What's even more frustrating is that they disabled FaceTime Live Photos but didn't actually tell anyone they did it. I've been using them for a project I am working on, so when I took pictures yesterday, the FaceTime app told me it was taking the Live Photos, but it was lying to me. Apple had disabled that ability on its servers but didn't inform its users in any way. My phone didn't update to 12.1.4 until after it was supposed to have taken the Live Photos I needed, so now all the photos I thought I'd gathered are completely lost because they were never taken in the first place and Apple didn't even bother to tell me.

    I'm glad the kid is getting compensated for finding the bug and reporting it, but what's Apple going to do to compensate those of us who are victims of its ham-fisted attempt at stopping its own bug? My guess: not a damn thing.
  9. MEJHarrison macrumors 65816

    Feb 2, 2009
    Sure they did. It was announced by them when they released 12.1.4. If you want to use that feature again, you need to update to the latest release. It's all here.
  10. brianjones74 macrumors newbie

    Nov 13, 2006
    I understand that. They did not, however, announce it before they released 12.1.4, which is when I was using my phone. They'd disabled it but not told users. That's literally my whole point.
  11. Sodium Chloride macrumors member

    Jul 11, 2017
    Does this bug affect those who still run iOS 11?
  12. apolloa macrumors G4

    Oct 21, 2008
    Time, because it rules EVERYTHING!
    We know that Apple advises it is working on a fix AFTER it's been reported in the media. I can only go by what I see and read.

    Well, Apples own in store diagnostic software always claimed no battery issues with people who took their deliberately slowed down iPhones into their stores. I would say that proves Apple lied for over a year. Sorry but battergate is indefensible, and so far one Government, the Italian one, has fined them and Samsung over intentionally slowing devices down, many others are still investigating with the French carrying out criminal investigations, because forced obsolescence is a crime in that country.

    Hardly just 'a scandal of communications'..

    Also yes, we do know Apple ignored the report I think because it never responded to the kid or his mother, here they were trying to report, and they weren't the only ones, the biggest security hole ever in iOS and Apple didn't acknowledge anything to them about it.
    When it's such a huge security risk, then your own internal policies are a failure and need to be remade, but this is not the first big bug iOS has had, which doesn't inspire me with confidence that Apple has ever changed a thing. And from I've read this hole was all over social media long before the main sites picked it up, they also did NOT switch off the Facetime servers as soon as the story was out in the open, they just advised people to turn off Facetime. That is not the action a company like Apple should be taking, they should have turned off the servers the second they knew about the security flaw, or as I suspect, they DID do just that.

    Firstly I'm a lot more thankful for websites like 9to5mac who raised this story and got it the attention Apple didn't award it.
    Secondly, yes bug fixes may take time, but Apple did not turn off it's Facetime servers, the bare minimum it could have safely done, until after the story was in the public eye and even then it did not turn them off immediately, instead choosing to advise people to just turn the feature off.
    It seems a lot of issues with security and Apple have been fixed lately after they've gathered media attention.
  13. MEJHarrison macrumors 65816

    Feb 2, 2009
    So what should they have done? Announced that there was a security hole in Live Photos from FaceTime but not turn it off? Should they leave the security hole open and just tell people not to use it if they've not updated? I can't see how they announce the issue to the world, don't turn things off and not get skewered by the public and media (and they would deserve it in that case).

    I'm not really seeing a better way to handle things, so how would you have done it?
  14. brianjones74 macrumors newbie

    Nov 13, 2006
    mum is awosome!
    I don't know, maybe prevent the FaceTime app from saying that a picture had been taken when it had not. Imagine if it was your camera app, and even though you clicked and it showed that a picture had been taken, it had, in fact, not been taken, and there's nothing you can do about it. Imagine you missed a really important moment, like I did. You'd feel exactly like I did. If they had the ability to turn it off at the server end, they could have also pushed out a message the moment I tried to take a picture that said something to the effect of, "Sorry. This feature has been temporarily disabled due to a security reason." Had they done that, I would have understood. But not informing the user at all is simply inexcusable, especially from the "it just works" company. Yes, they should have turned it off as they did, but not informing users who are depending on a function to work exactly as it tells the user it is working is inexcusable. How would you have handled it? Would you just have said, "Oh, sorry, we didn't take those pictures we told you we did. Oopsie."?
  15. MEJHarrison macrumors 65816

    Feb 2, 2009
    First of all, good answer.

    Just to be clear, are you suggesting they blast the entire world with this message? Or are you thinking it should pop up when the user is attempting to use that feature?

    I don't think alerting the world would be appropriate since I'd guess it's not a widely used feature (I didn't know it was possible until just recently). I might be wrong about that. And a person could certainly argue this point. To me, I don't think it would have been appropriate. Would you really want Apple sending our alerts everytime they've discovered a bug? I know I wouldn't.

    Clearly that message can't be baked into older versions of the OS. As a developer myself, I absolutely NEVER add in logging and messages for potential bugs I don't know about yet. If I did, I'd never complete any task because I'd always be wondering what else might break that I've not thought of. If I think some code might throw an error, I write code to handle it gracefully or change the code to eliminate the potential bug. But that's only for things you know might fail when you're still developing and that's not a viable approach for things you've not thought of. How could someone possibly write an error message for something they've not even considered? I'd bet good money no such code exists in the previous version of FaceTime. So it wouldn't help those who haven't updated. This message would need to be added to a new release and the user would have to update to get it. But if they update, they've already gotten the fix that prevents the bug in the first place.

    The only other option is to do it from the server end. Clearly FaceTime communicates with Apple's servers. And apps have the ability to do popups. But there's a lot more involved than that. Can Apple detect that you're taking a live photo from their end? They brag about things not being sent back the server unless it's needed, so it's possible the Live Photo is entirely on your phone and they don't know you're even taking it (privacy and all). Let's say they do know. The next question is, does FaceTime have the ability for them to send the message back and display it? Maybe they do know you're trying to take a Live Photo. But code would have needed to be written ahead of time (when they didn't even think it would break in this fashion) to see if there's an error coming back from Apple after attempting to take a Live Photo and to then display that error message in a popup. Again, this is code that would be easy to add and isn't at all uncommon, if it's something you know to expect ahead of time. But we come back to the problem of foresight. If they never envisioned thing blowing up in this particular fashion, would they have added code to handle it?

    Sorry to hear that it's caused you problems. That really sucks. But I'm not sure how they could have handled it better (not saying they couldn't, just that I'm not sure how). I'll also add, I have no clue how Apple has written that code or what they should or shouldn't have done. It's possible this was a stupid human error. Or it's possible that this is truly a bizarre bug that no one could have planned for. I can't honestly say. But neither can anyone else here really. We're all just guessing based on virtually no information at all from the only people who actually do know all the facts.
  16. jtara macrumors 68000

    Mar 23, 2009
    No, they cannot. That's what this is all about.
  17. C DM macrumors Sandy Bridge

    Oct 17, 2011
    Not exactly. It's about getting the information to the right people and getting it looked into sooner and followed up and prioritized appropriately. But not really about people directly reaching some particular developers.

Share This Page