Apple Faces First Lawsuit For Embarrassing Group FaceTime Eavesdropping Bug

FaceTime
Well, you could see this one coming from a mile away. Remember that Group FaceTime bug we wrote about yesterday? The one that Apple apparently knew about since at least last week? Predictably, someone has gone and filed a lawsuit and is seeking unspecified punitive damages on claims of negligence, product liability, misrepresentation, and warranty breach.

In case you missed it, the bug allowed users to exploit the Group FaceTime feature in iOS to spy on another iPhone, iPad, or even a Mac user. We say "allowed" (past tense) not because the bug has been squashed (soon, but not yet), but because Apple has disabled Group FaceTime while it works on a fix.

Before that happened, a user could place a FaceTime call to another person, tap on the "Add Person" button, and then add their own number as part of the Group feature. This tripped up FaceTime, which would then pick up audio from the microphone on the person that was called, even though they had not answered the FaceTime call. Even worse, this same exploit could be used to enable video from the recipient's handset if that person hit the power button to end the call.

It's a startling oversight from a company that preaches about security and privacy, and it riled up Larry Williams II, a lawyer in Houston who claims the bug enabled someone to eavesdrop on a privileged conversation he had with a client.

"Plaintiff was undergoing a private deposition with a client when the defective product breach allowed for the recording orf a private deposition. The product was used for its intended purpose because Plaintiff updated their phone for the purpose of Group FaceTime calls but not unsolicited eavesdropping. Plaintiff suffered injuries," the lawsuit states (PDF).

The lawsuit also alleges that other people potentially sustained "similar privacy injuries" resulting from the FaceTime bug, and that Apple failed to warn iOS users that this could happen when updating to iOS 12.1.

Apple has promised to roll out a fix to the bug sometime this week.