Major Apple FaceTime bug allows audio eavesdropping
A new major FaceTime bug can allow someone to hear the other party's audio before they answer the call and the issue was reported to Apple more than a week ago.
Apple is working on a fix for a major FaceTime bug that allows callers to hear audio from the recipient's device before the call is answered.
To trigger the FaceTime bug users would have to add themselves to a FaceTime call while the call is still ringing; when the call changes to a group call, the audio from the original recipient will play for the caller even if the call hasn't been accepted. On the victim's end, all that is shown are the FaceTime answer and reject buttons with no indication that any audio is being sent back. Some outlets -- like BuzzFeed and The Verge -- have reported ways to trigger video eavesdropping as well.
Apple quietly disabled group FaceTime calls while it works on a patch and the company told BuzzFeed News that it is working on a fix set to be released later this week. The issue only affects iOS 12.1 and higher.
The FaceTime bug began sweeping social media on Jan. 28, prompting many experts to encourage users to disable FaceTime via the iOS or Mac settings until the issue was resolved.
Beyond the privacy implications of the FaceTime bug, new reports claim that the issue was discovered by a 14-year-old, and the teenager's mother has been trying various ways of disclosing the issue to Apple for more than a week.
According to CNET, Michele Thompson, a lawyer from Arizona, attempted multiple times to report the FaceTime bug to Apple after her son discovered the issue. Thompson first attempted to tweet to Apple on Jan. 20. She then wrote a letter to Apple's general counsel on Jan. 22 and even registered as a developer on Jan. 23 after an Apple representative told her she would need to do so in order to report the FaceTime bug.
Throughout the process, Thompson reportedly didn't receive any response from Apple indicating her disclosures were received.
Apple started a bug bounty program in 2016, but it was initially criticized for featuring an invitation system which would only allow certain vetted researchers to submit vulnerabilities.
Apple's bug bounty has since opened up to anyone registered as an Apple developer, but Chris Wysopal, CTO at Veracode, noted on Twitter that bug reporting to Apple is still a common problem.
The 14 year old kid should get a bug bounty. Group FaceTime could have been disabled before the information became widely available.— Chris Wysopal (@WeldPond) January 29, 2019
Tavis Ormandy, vulnerability researcher for Google's Project Zero, wondered on Twitter about the scope of the FaceTime bug and whether or not it's been exploited.
I wonder if Apple has enough log data to determine if anyone abused the FaceTime bug, and if so, if they'll inform the victims.— Tavis Ormandy (@taviso) January 29, 2019