Pixel Envy

Written by Nick Heer.

Bugs in Group FaceTime Allow Callers to See and Hear Recipients’ End Without Them Answering

Nicole Nguyen, Buzzfeed News:

In a statement, an Apple spokesperson said the company is “aware of this issue and we have identified a fix that will be released in a software update later this week.”

In BuzzFeed News’ test, an iPhone X was used to initiate a FaceTime video call to a recipient using an iPhone 8. After following the instructions outlined by 9to5Mac, the iPhone X caller could hear audio from the iPhone 8’s microphone. After the call recipient pressed the volume-down button, footage from the iPhone 8’s front-facing camera could be seen on the iPhone X — even though the call recipient had not answered the call.

Apple’s iCloud system status page currently reports that Group FaceTime is offline — presumably either to halt the impact of this bug, or to try to fix it remotely. This is a pretty nasty bug nevertheless, and makes you wonder why a recipient’s iPhone would send any data to the server before they answer a call.

Update: The biggest concern here, for me, is that Apple’s product security team was apparently notified of this bug last week. The bug itself, while awful, leaves a trace so it’s not really a surreptitious spying tool. That’s not to excuse it. I’m just more concerned, if the report was credible, that the steps of pulling Group FaceTime offline and issuing an emergency patch were not made after this was first reported, because that suggests a procedural error. However, if the person who reported the general characteristics of the bug withheld information, particularly for financial compensation or a similar reason, that’s on them, and I can understand why immediate action wasn’t taken.

Update: John Meyer spoke with the mother of the kid who first publicly noticed this bug. The kid made a great demo video and the mother sent a notice via email, but was told to file a radar — not only did she do that, it was closed as a duplicate. It looks like Apple fell down in the reporting of this serious bug.