It's about time. I tried the bug out on a friend and the results were… eye-opening.
View attachment 819296
How so? Apple disabled the Group FaceTime thing that apparently mitigated the bug. Or does it not matter?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple's iOS 12.1.4 Update to Fix FaceTime Eavesdropping Bug Showing Up in Analytics
- Thread starter MacRumors
- Start date
- Sort by reaction score
How so? Apple disabled the Group FaceTime thing that apparently mitigated the bug. Or does it not matter?
In fact it was so simple, that you picked up on it on the day of release
I don’t use FaceTime and never have. One of the first things I disable on any fresh install of iOS.
Regardless, still a simple bug. It takes 2 simple steps to entirely erase any end user’s privacy. Another public relations nightmare which will result in lost customers and stalled upgrades. Won’t see the effect of this until their next earning’s release, but it will be a real hit.
No, the user is NOT aware of this happening, that’s why it is such a serious privacy issue.
Also any account you sign up for that falls within your criteria of “selling personal data”, is something that the user has to willingly do. This bug could have been performed without the consent or willingness of the other party.
Additionally, Apple needs to improve their technical support process. I never contact Apple until I've tried everything listed on their Support website. I can't tell you the number of times the advisors have demanded I repeat the steps listed on the website while I am on the call with them, to "prove" I have done all of the troubleshooting. After all of that, all they do is escalate it to engineering, who very often asks me to replicate the steps I have already done. With this inefficient of a process, it did not surprise me that it took over a week for someone high enough at Apple to actually address the issue.
I wonder whether the current 12.2 beta already has this or will get this on the next point release (more likely)?
You could also argue that the entire point of the dev beta/public beta program is too assist Apple with finding and reporting issues (such as this), in addition to devs being able to test their apps against the latest version. That’s why they include a mandatory feedback app on every beta version. And I am sure there are many, many more dev/public beta testers than there are QA testers internally. So by your logic, anyone on the beta for 12.1 should have also caught this “very simple bug”.
The only way this bug can be fixed by a software update is if Apple also fixes Group FaceTime on the server side to not work with iOS version lower than the fix. Apple can’t force you to update directly.
I work closely with QA testers everyday. The remit is to work through testing the app in terms of its functionality. Adding yourself to a call wouldn't have been considered as you are the person initiating the call. If part of the functionality was that you could add yourself to a call that you already initiated, then yes, this would have been picked up on.
These days when Apple projects a time line, we need to double or even triple it. So my guess is that this week means sometime in the next 30 days. Welcome to the new Apple.
It's about time. I tried the bug out on a friend and the results were… eye-opening.
View attachment 819296
MacRumors needs to implement a double-like button on your profile. One is never enough.
I actually don’t think there will be much if any of lost sales. Maybe some persons in the edge will go to android.
The only left over will be these lawsuits that will either be dismissed or take years to settle. Otherwise, it’s TCB.
I wouldn’t call this bug ‘obvious’. I’d like to know how many people have tried to add themselves to a Group FaceTime call after they initiated said call. That’s not something most people would attempt to do in the first place, I don’t think.
But it is precisely the thing a professional QA engineer would test. It’s a boundary case (“what if I call myself?”) and boundary cases are where most bugs come from.
Oh I don't blame any public beta tester for not catching this. I'm just saying security experts spend their days thinking about how to break into things. For example, how can I make a CSV or Excel file that remotely executes code? How can I enter a negative number into a box where only a positive value makes sense? I don't know if I had discovered this problem myself. It's impossible to tell. But if I spent several days trying to break it, then I might have tried to add myself to a call. I would need two accounts, and two phones on my desk, and countless hours trying to break it. When I test my own software, I do try to think about all sorts of situations. For example, enter -0.0 as a number. Try to copy and paste my name into a box that only accepts a number. If Cmd+V doesn't work, right click and choose Paste.
Look, I took an MIT Computer Security online course, and I learned a lot about defensive programming techniques. I've tried to put code into a CSV file, and made Excel execute it. I'm not a security expert, but there are engineers out there who spend their days trying to come up with scenarios. And if something is as simple as adding yourself to a call, they might catch it. Not by calling friends randomly, but in a controlled, lab situation.
It's about time. I tried the bug out on a friend and the results were… eye-opening.
View attachment 819296
I so wanted to do this but you did it better than I ever could have hoped.
Wut. They have a very quick turnaround for serious issues such as this. Several big macOS bugs, and a couple of iOS ones in recent memory, have been released within 24 hours to a couple days of the exploit being made public. In fact, for such a big company, this turnaround time is extremely impressive.
[doublepost=1548966669][/doublepost]Hindsight is 20/20: The Thread
Sadly, it's the only way some people can find a bit of happiness and power in their lives, where none otherwise exists.
Not a healthy situation.
If Apple waits to thoroughly test iOS 12.1.4, they are blasted for the long delay.
If Apple distributes iOS 12.1.4 without thoroughly testing it, and any unfortunate side effects show up, they'll be blasted for that.
If Apple distributes iOS 12.1.4 without thoroughly testing it, and no side effects show up, they'll have escaped either of those sad fates.
It's a type of burden that many software developers must bear, though not in such a big spotlight.
If Apple distributes iOS 12.1.4 without thoroughly testing it, and any unfortunate side effects show up, they'll be blasted for that.
If Apple distributes iOS 12.1.4 without thoroughly testing it, and no side effects show up, they'll have escaped either of those sad fates.
It's a type of burden that many software developers must bear, though not in such a big spotlight.