Photo by Couleur on Pixabay
Last month, a nasty FaceTime bug was discovered that allowed a FaceTime caller to hear audio from your device while it was still ringing, before you accepted or rejected the call (see “Apple Disables Group FaceTime to Block Glaring Privacy Hole,” 29 January 2019). The bug was related to the Group FaceTime feature introduced in iOS 12.1 (see “Apple Releases iOS 12.1, macOS 10.14.1, watchOS 5.1.1, and tvOS 12.1,” 30 October 2018), so Apple disabled Group FaceTime from its end while its engineers worked out the problem.
Now, in a statement to TidBITS, Apple has announced that it has solved the problem and will re-enable Group FaceTime soon:
We have fixed the Group FaceTime security bug on Apple’s servers and we will issue a software update to re-enable the feature for users next week. We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process.
Who is the Thompson family? That’s a reference to Grant Thompson, the 14-year-old who originally discovered the bug. Grant and his mother Michele tried to alert Apple about the bug but were stymied by Apple’s bug reporting process. Here’s the tweet Michele Grant posted on 20 January 2019 about it:
A “high-level executive with Apple” has since visited the Thompson family to thank them personally and get feedback, and Apple has indicated that Grant Thompson will be eligible for their bug bounty, which is usually restricted to invited researchers and pays up to $200,000 for each vulnerability reported (see “Apple Opens Bug Bounty Program,” 5 August 2016). That’s one way to pay for college!
Apple’s statement continued:
We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix. We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible. We take the security of our products extremely seriously and we are committed to continuing to earn the trust Apple customers place in us.
Apple’s handling of this incident is notable for three reasons:
- Apple was able to respond and block the issue on its servers within an hour of it becoming common knowledge. This happened the same week in which Apple also used its server-side control to disable apps from Facebook and Google that were violating Apple’s terms of service and violating user privacy (see “Apple Shuts Down Facebook’s Internal Apps Due to Flagrant Policy Violations,” 30 January 2019).
- Apple publicly acknowledged the Thompson family’s discovery of the bug. Over a decade ago, Apple wouldn’t typically attribute security vulnerabilities to the researchers who discovered them. Not only has that policy changed, but Apple is giving the family credit in its public statement despite that report being mishandled internally.
- In the statement, Apple admits that its security bug reporting process is flawed and needs improvements. While Apple has made great strides in working with security researchers and improving its vulnerability management process, it still has problems when it comes to bug reporting. Apple’s current system requires submissions to originate from an Apple Developer account and be shared using the company’s dedicated bug reporting system. This isn’t merely an obstacle for security professionals (and hobbyists); as reinforced by this incident, it prevents reporting from the general public and appropriate internal escalation of sometimes-serious issues that get lost in a sea of general bugs.
Apple blocked the vulnerability so quickly that our Twitter feeds were still filled with people blasting out the flaw even hours after Apple’s workaround went into effect. Make no mistake, this was a serious security failure, but one that Apple handled quickly. The company’s statement and outreach to the Thompson family also show that it recognizes the failures in how the initial reporting was handled and intends to improve the process going forward. We’ll see if Apple follows through on that intent.