A Teenager Tried To Warn Apple About It's Facetime Security Flaw, But Appears To Have Been Ignored

from the go-to-voicemail dept

By now, you’ve almost certainly heard about the latest big technology security flaw, in which Apple’s FaceTime feature contains a bug that allows a caller using FaceTime to hear through the recipeient’s phone while the call was still ringing. This obviously has all kinds of people all kinds of freaked out, since the bug essentially turns any iPhone into a short-burst surveillance bug. This has led some to opine that Apple, which has a fairly decent reputation from a privacy standpoint, is at risk of having that reputation torpedoed over this story.

And that might be all the more the case when the public discovers that Apple was informed of this bug by a teenager and his mother in the weeks running up to the press coverage of it, and did nothing about it.

The Wall Street Journal reports that Grant Thompson, from Tucson, was “setting up a FaceTime chat with friends ahead of a ‘Fortnite’ videogame-playing session when he stumbled on the bug”. It was then that Thompson noticed that he could hear audio from friends who had yet to join the call. Grant quickly told his mother, Michele, and the pair spent a week trying to contact Apple to warn them about the issue.

The WSJ say after some calls and faxes they “eventually traded a few emails” with Apple’s security team, but it wasn’t until reports of the bug blew up on Twitter that the decision was made to disable Group Facetime.

This apparently happened a week or so before this all exploded on Twitter and in the media. We’ve heard stories like this in the past, of course, but it always amazes me that tech companies aren’t better about having a unified message across entire companies that staff should want to report this sort of thing up the hierarchy, and those high-ups should jump on addressing these reports both quickly and publicly. Imagine a world where Apple had lauded this teenager for informing the company about the bug and in which Apple had proactively disabled group FaceTime until the bug was resolved? Apple would have come out looking, once again, as though it were looking out for the privacy interests of its users.

Instead, it sure looks like the company was hoping to stick its head in the sand and pretend the bug didn’t exist. Or, more charitably, perhaps the company thought it could simply do away with the bug quietly via an update with vague patchlist notes. Either way, it’s not a great look.

Filed Under: , , , ,
Companies: apple

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “A Teenager Tried To Warn Apple About It's Facetime Security Flaw, But Appears To Have Been Ignored”

Subscribe: RSS Leave a comment
pegr (profile) says:

Never attribute to malice...

More like the right folks didn’t hear about it for a while. Mom gets a different level of attention than if a known vulnerability research would have made the call. You have to imagine that every tech firm gets their fair share of cranks making bogus claims about vulnerabilities.

Why, just last night my phone’s Facebook app was beaming political messages into my brain while I slept!

Ven says:

Customer Service scripts are designed to pigeonhole users

I’d be they called up the normal front facing customer service and got the whole, turn it off and on again spiel. Apple has been better about having actual trained people involved in customer support, but even they have a first level wall of untrained script reading bots (human or software) to filter people into the right buckets before sending them on the the people with the right knowledge.

If the script they give to these front line people doesn’t include a way to filter the call into the "security issue" or "privacy leak" buckets then it will drop them off into some meaningless phone menu hell.

This is one more symptom of companies not planning for security issues to happen unexpectedly. If no one with agency thinks to include something like this in customer service scripts and no agency is given to the actual front line script readers then there is no way to easily move real security issues up the chain.

Black Bellamy (profile) says:

Re: Customer Service scripts are designed to pigeonhole users

The story says they made phone calls and faxes until they started trading emails with the security team. While it doesn’t go into further detail (I would love to see those emails) it does indicate they got past level one support.

To reproduce the issue is three easy steps. 9to5mac.com was able to do it no problem. So this looks like someone on the security team or above made a call not to shut off Facetime while they worked on a fix. Meanwhile it blew up all over Twitter so they had to shut it down before the fix came out.

Anonymous Coward says:

Re: Customer Service scripts are designed to pigeonhole users

If no one with agency thinks to include something like this in customer service scripts and no agency is given to the actual front line script readers then there is no way to easily move real security issues up the chain.

They need to add a shibboleet option.

Ever tried to report a BIOS bug to someone? I found it impossible, almost exactly like in that comic (the laptop vendor wanted to debug Windows, which wasn’t running; the problem happened before any OS was running).

Anonymous Coward says:

The story(and original source) is light on details. If Grant and his mother were unable to provide steps to reproduce the bug, then this would not be a high priority issue. The reason is without reproduction instructions the report could be mistaken, some insane alpha particle flipped a bit thing, or even a malicious false report. System logs for Apple to dig through can be enabled on iOS, but that doesn’t do any good if you never reproduce the bug.

Now if Apple was given explicit steps to reproduce and did nothing, well that’s a pretty big egg on their face.

Anonymous Coward says:

Re: Re:

That mom and teen are just lucky that the FBI didn’t show up to their house…

That happens next week, after the media coverage has died down somewhat. The FBI shows up at their house next week.

Since the kid’s a "hacker" he gets the 29-agent, 17-vehicle with two amphibious tanks, one helicopter with SWAT rappelling onto the roof, and multiple flash-bang treatment — the treatment that was absolutely not pioneered with CNN’s coverage of the Roger Stone arrest. Pretty much par for the course when it comes to "hacker" arrests.

Anonymous Coward says:

Apple has been using this "bug" in Facetime to spy on rival companies, steal their ideas etc. Ever noticed how "co-incidentally" Apple has filed a large number of patents JUST before a rival company?

The UK government has recently changed most of its staff to use iPhones.
Apple also using this bug to spy on Brexit negotiations, so they can again "co-incidentally" invest in the stock market based on government private discussions, as they then know which companies will get new contracts etc.

It’s insider trading all the way from Tim Cook on down it appears.

Anonymous Coward says:

Ok, YOU are the Facetime product manager at Apple ...

Assume that the issue filters to you as product manager two days after first contact with the "help desk".

You talk to the developers and its 15 working days to design, implement and test a fix, or you can shut down group chat which would affect millions of users.

What would you do?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...