Yesterday, a worrying and invasive bug that allowed callers to secretly listen in on unknowing recipients through Apple’s FaceTime app quickly made news headlines. It was discovered that people could initiate a FaceTime call and, with a couple short steps, tap into the microphone on the other end as the call rang — without the other person accepting the FaceTime request. Apple said last night that an iOS update to eliminate the privacy bug is coming this week; in the meantime, the company took the step of disabling group FaceTime at the server level as an immediate emergency fix. However, new information suggests that Apple has already had several days to respond; the company was tipped off about it last week.
Back on January 20th, a Twitter user tweeted at Apple’s support account clearly outlining the gist of the FaceTime bug: “My teen found a major security flaw in Apple’s new iOS. He can listen in to your iPhone/iPad without your approval.” The parent’s teenager had discovered the problem one day prior on January 19th, according to tech entrepreneur John Meyer, who has been in contact with them. CNET has identified the tipster as Michele Thompson, whose 14-year-old son first encountered the flaw while setting up a group FaceTime call with friends to coordinate strategy during a game of Fortnite.
This article is definitely worth a read, since it illustrates very well just how negligent Apple has been with this issue. The mother of the boy who discovered the flaw is a lawyer, and through proper letters and other means, she informed Apple of the major security flaw through all the various channels Apple offers. Apple wasn’t very forthcoming, and despite knowing about the issue, didn’t do anything about it until yesterday, when the company disabled Group FaceTime and promised a fix would come “later this week”.
My understanding so far:
A 14 year old discovered a bug that comes down to “If I, as a normal caller, press button A and then B I control the response of others”.
His mother, a lawyer, files this exactly the way Apple desires through all the proper channels, but nothing happens
A week later somebody else posts this on a techblog and almost immediately Apple officialy confirms the bug, shuts down the server functionality and announces a patch
Now, and this is just my assumption, but the one reading that techblog is just an engineer from Apple that immediately talked to his human boss that immediately talked to his boss that immediately took action. And the official message(s) from the lawyer-mother will probably receive a “thank you for your message. Apple support will contact you in 4-6 weeks”