Skip to content
Thoughtful, detailed coverage of everything Apple for 29 years
and the TidBITS Content Network for Apple professionals
A creepy statue with its hand by its ear as if listening.

Photo by Couleur on Pixabay

6 comments

Apple Fixes Group FaceTime Bug; Promises to Improve Bug Reporting Process

Last month, a nasty FaceTime bug was discovered that allowed a FaceTime caller to hear audio from your device while it was still ringing, before you accepted or rejected the call (see “Apple Disables Group FaceTime to Block Glaring Privacy Hole,” 29 January 2019). The bug was related to the Group FaceTime feature introduced in iOS 12.1 (see “Apple Releases iOS 12.1, macOS 10.14.1, watchOS 5.1.1, and tvOS 12.1,” 30 October 2018), so Apple disabled Group FaceTime from its end while its engineers worked out the problem.

Now, in a statement to TidBITS, Apple has announced that it has solved the problem and will re-enable Group FaceTime soon:

We have fixed the Group FaceTime security bug on Apple’s servers and we will issue a software update to re-enable the feature for users next week. We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process.

Who is the Thompson family? That’s a reference to Grant Thompson, the 14-year-old who originally discovered the bug. Grant and his mother Michele tried to alert Apple about the bug but were stymied by Apple’s bug reporting process. Here’s the tweet Michele Grant posted on 20 January 2019 about it:

Michele Thompson's tweet.

A “high-level executive with Apple” has since visited the Thompson family to thank them personally and get feedback, and Apple has  indicated that Grant Thompson will be eligible for their bug bounty, which is usually restricted to invited researchers and pays up to $200,000 for each vulnerability reported (see “Apple Opens Bug Bounty Program,” 5 August 2016). That’s one way to pay for college!

Apple’s statement continued:

We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix. We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible. We take the security of our products extremely seriously and we are committed to continuing to earn the trust Apple customers place in us.

Apple’s handling of this incident is notable for three reasons:

  • Apple was able to respond and block the issue on its servers within an hour of it becoming common knowledge. This happened the same week in which Apple also used its server-side control to disable apps from Facebook and Google that were violating Apple’s terms of service and violating user privacy (see “Apple Shuts Down Facebook’s Internal Apps Due to Flagrant Policy Violations,” 30 January 2019).
  • Apple publicly acknowledged the Thompson family’s discovery of the bug. Over a decade ago, Apple wouldn’t typically attribute security vulnerabilities to the researchers who discovered them. Not only has that policy changed, but Apple is giving the family credit in its public statement despite that report being mishandled internally.
  • In the statement, Apple admits that its security bug reporting process is flawed and needs improvements. While Apple has made great strides in working with security researchers and improving its vulnerability management process, it still has problems when it comes to bug reporting. Apple’s current system requires submissions to originate from an Apple Developer account and be shared using the company’s dedicated bug reporting system. This isn’t merely an obstacle for security professionals (and hobbyists); as reinforced by this incident, it prevents reporting from the general public and appropriate internal escalation of sometimes-serious issues that get lost in a sea of general bugs.

Apple blocked the vulnerability so quickly that our Twitter feeds were still filled with people blasting out the flaw even hours after Apple’s workaround went into effect. Make no mistake, this was a serious security failure, but one that Apple handled quickly. The company’s statement and outreach to the Thompson family also show that it recognizes the failures in how the initial reporting was handled and intends to improve the process going forward. We’ll see if Apple follows through on that intent.

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For 28 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

Comments About Apple Fixes Group FaceTime Bug; Promises to Improve Bug Reporting Process

Notable Replies

  1. What is the best way to report a general bug? I have a weird thing happening on my machine in which coming out of sleep my screen is briefly visible before the login screen appears. That is unquestionably a bug, and a rather serious one, too. But I have no idea how to alert someone technical enough to track it down (other than perhaps seeing whether someone I might know at Apple could help.) The idea of getting a developer account and then dealing with all that seems onerous. Plus, it is really inconsistent and without being able to provide steps for reproducing it, I can see it ending up in the “closed” bin.

  2. Your best bet is AppleCare, but if you didn’t spring for that or your coverage expired you’ll have to pay for phone support.

    Apple Genius Bar is next best. They should be willing to discuss with you when you show them.

    Agree that developer account isn’t worth the effort. Writing Product-Security probably won’t work without a demonstration.

    The Apple Feedback web site Is close to worthless for such situations.

    I’m not sure I agree that this is a serious bug without actually seeing it though, as it doesn’t seem to me that a glance at your screen is at all exploitable.

    Sent from my iPad

    -Al-

  3. Does Apple ever charge for phone support anymore? I’ve never been asked in the slightest if what I’m calling about is somehow covered by a warranty.

    In terms of reporting a general bug, the best way to do it is via Apple’s Bug Reporter, but that currently requires a Developer account. Someone who has one could do it for you, if you don’t. I’m sure there are some people here who are in the program.

    https://developer.apple.com/bug-reporting/

  4. Dev account? LOL. This thread nicely describes the problem. Why should anyone jump through hoops to report a bug to Apple?

    What Apple should have is a nice and simple form on their website for anybody to enter. Ideally it should indicate important information that should be included so less savvy users (like the mom in this story) are assisted in reporting all relevant details to Apple’s engineers. The existing feedback form could be used for this, it’s anybody’s guess why Apple hasn’t implemented that.

    Sure, Apple will collect spam and the submitted information will be noisy, but I’m sure their $250B can help with that. Bottom line, the very public display of Apple’s inability to get important information from an affected user to their engineers is far more expensive (not to mention outright embarrassing) than supplying a low-threshold reporting link. Considering how Apple has grown fond of advertising their take on privacy, this bug illustrates that they still have ample work left in terms of putting their money where their mouth is. I get it, a feedback form isn’t something Schiller can put on a Las Vegas billboard to sell gadgets. But if you really want to walk the walk…

  5. Yeah, this is exactly the question—what will Apple do to make general bug reporting available to the public. I was blanking on the context slightly when I replied above and was thinking about purely this group.

  6. I can see some of Apple’s thinking. You want to make the true bug reporting easy to do, but not a dumping ground for what people think are “bugs” but are technical issues or user problems that should be handled in support. A good screening team would help on this.

Join the discussion in the TidBITS Discourse forum

Participants