Apple Was Alerted To iPhone FaceTime Bug At Least A Week Ago #Facepalm

group facetime
Earlier today we reported on a rather nasty Group FaceTime bug that had the potential to affect every iPhone user running iOS 12.1.2 or higher. In a nutshell, the bug allowed anyone to place a FaceTime call to another person, tap on the “Add Person” button, after which you would add your own phone. Once these steps were completed, the initial caller would be able to hear what’s picked up by the receiver’s microphone even if they didn’t answer the incoming FaceTime call. 

Even more disconcerting is the fact that a brief glimpse of video could also be transmitted from the receiver’s phone if they hit the power button to end the call. Both of these instances are serious lapses in iOS security and are a black mark on a company that prides itself on user privacy. However, Twitter user MGT7500 says that she initially contacted Apple about the FaceTime bug over a week ago.

The Twitter user claims that her 14-year-old son stumbled upon the FaceTime bug, saying “He can listen in to our iPhone/iPad without your approval.” She went on to add that she had video evidence, which she submitted via bug report. Not only that, she says that she called, faxed, and emailed Apple about the issue. She even reached out via Facebook Messenger to no avail.

In a January 22nd email to Apple Support (and via her tweet), MGT7500 makes it clear she was also seeking to find out if Apple’s Bug Bounty program would apply in this situation, with the proceeds going to her son. In that same email, we can see that Devin from Apple Product Security did respond, but we cannot see what he told her. In a subsequent tweet, MGT7500 explains what she was told:

MGT7500 kept quiet about the specific details of the discovery – at least via Twitter – until the news broke last night when she went on a tweetstorm asking that her son get credit for the discovery.

Since the FaceTime bug went global, Apple has temporarily disabled Group FaceTime, which should prevent anyone from exploiting this loophole. The only comment that Apple has made about the discovery is that it has “identified a fix that will be released in a software update later this week."

Show comments blog comments powered by Disqus