Apple was warned about alarming FaceTime eavesdropping bug last week



Yesterday, a worrying and invasive bug that allowed callers to secretly listen in on unknowing recipients through Apple’s FaceTime app quickly made news headlines. It was discovered that people could initiate a FaceTime call and, with a couple short steps, tap into the microphone on the other end as the call rang — without the other person accepting the FaceTime request. Apple said last night that an iOS update to eliminate the privacy bug is coming this week; in the meantime, the company took the step of disabling group FaceTime at the server level as an immediate emergency fix. However, new information suggests that Apple has already had several days to respond; the company was tipped off about it last week.

Back on January 20th, a Twitter user tweeted at Apple’s support account clearly outlining the gist of the FaceTime bug: “My teen found a major security flaw in Apple’s new iOS. He can listen in to your iPhone/iPad without your approval.” The parent’s teenager had discovered the problem one day prior on January 19th, according to tech entrepreneur John Meyer, who has been in contact with them.

FaceTime wasn’t mentioned in the tweet, but it’s still something that would seem worth looking into. The warning has now received a lot of attention, but it could’ve flown under the radar for Apple’s customer service / social media team at the time. There was no direct reply from Apple, but the tweet said a bug report had been filed.

Apple was warned about alarming FaceTime eavesdropping bug last week 1

In fact, through subsequent tweets, the same person claimed that they made multiple attempts to reach Apple and inform the company of the issue. An email dated January 22nd warned of “a major privacy and security flaw.” Another image seemingly confirms that the person eventually emailed, which is exactly what the company says should be done in this kind of urgent situation.

Apple was warned about alarming FaceTime eavesdropping bug last week 2

The emails emphasized the bug’s significance, calling it “a huge issue” that the sender had personally verified. Without revealing the necessary steps to exploit the bug in that email — the sender had questions regarding Apple’s bug bounty program and wondered if their son might receive a monetary reward for discovering it — they asked Apple to get in touch immediately so that a fix could be quickly developed.

But no response came, leading the individual to both email and fax a formal document to Apple on January 25th. Here, the full bug is laid out in detail, and the message — titled Urgent Security Issue Regarding iOS 12.1.3 — contained an unlisted YouTube link to a video that demonstrated the FaceTime issue. “My fear is that this flaw could be used for nefarious purposes,” the sender wrote. “At this point, I will not release this information to anyone until I hear back from you.”

At some point, Apple did indeed apparently respond, but instructed this person to go through the process of filing a bug report.

If Apple became aware of the FaceTime exploit before it was widely publicized yesterday, the company did not take any immediate action to resolve it. The Verge was able to verify the eavesdropping capability firsthand before Apple shut down group FaceTime as a quick fix. The company has not commented on the bug beyond yesterday’s statement that an iOS update is in the works.


Source link


Enjoy our news? Please spread the word :)