Originally published at: https://boingboing.net/2019/01/29/apple-oops.html
Go get a developer account and send us a formal bug report, Apple reportedly told them.
4 Likes
Ms. Thompson and her son clearly know what they are talking about. I initially assumed here name must be âTablesâ.
6 Likes
That is not the part that seems like a problem to me. For companies with more than one employee, having a formal process to report vulnerabilities is absolutely the right way to do it, because otherwise there is very little chance that the right people would hear about it or have the details they need. Thereâs no clear distinction between a vulnerability and a bug, and it would be a mistake to rely on outside parties to correctly make the distinction, so submitting vulnerabilities through the bug tracker also makes sense.
What is troubling is the time they took, or at least appeared to take. Whatever they said publicly â and I wouldnât expect any company, let alone Apple, to give a running Twitter commentary on active security issues â internally they should have recognised the size of the problem the same day, and escalated it to someone with the authority and wherewithal to disable group calling as soon as they knew that would mitigate the problem. The only thing we actually know is that it took them 8 days, and that certainly sounds like a long time for this particular fix.
In general though, bugs can easily take a lot longer than that to fix, which is why a security researcher would rightly be blasted for posting this on social media the same day they told Apple about it. You canât expect a general-purpose mom to be aware of responsible disclosure practices of course, but this story probably wouldnât have blown up if the vulnerability hadnât been discovered by a non-hacker (which is extremely unusual).
1 Like
Bah! You expect Apple to pull developers away from creating awesome new features to fix a bug!?! Apple didnât become one of the planetâs most valuable companies by fixing things, they just make things shiny!
2 Likes
Why are people pretending that Apple sat on this or covered it up? This person notified an entry-level person at Apple Support and it made it all the way to the top in just one week! Most bugs take much longer to handle, and most support calls like this turn out to be user error.
This is a serious bug and demands immediate attention, and arguably shouldâve been caught way before a random user discovered it. However, one week response time is way faster than you would expect, not slower. The NY Times author should realize that if they regularly report on the tech industry. This was not hidden or lied about. It just takes time for a bug report to go from a first-level support tech all the way to the development team.
1 Like
âYouâre reporting bugs wrong.â -Apple
4 Likes
âOne weird bug! Discovered by a mom! Apple HATES her!â
3 Likes
Paying $99 for an Apple Developers Account for the right to report a bug does seem a bit problematic.
2 Likes
Itâs been possible to get a developer account without paying for some years
1 Like
So what ârewardsâ were the 14 y.o. and his mom given, aside from internet kudos for finding the bug and bringing it to Appleâs attention? âThanks for pointing this out, now go away.â
1 Like
many companies have a bug bounty program, not sure if apple is one of them, doesnât seem their style.
You can get a basic developers account for free. you only have to pay if you want to sell an app on the store.
Dâoh. Didnât know that. You saved me $99 for next year.
1 Like
Thatâs not a bug Itâs a feature. Can you imagine how much Apple made selling this feature to Law Enforcement and Espionage agencies? Just think of the money and time they save not needing to install a surveillance device or get a court order to listen in on you. Now that Apple has lost that revenue stream I can guarantee you the next generation iPhone will be more expensive.
When you have a company as big as Apple the probably gets thousands of reports a day the vast majority of which are bogus or not real issues it can be hard for the big issues to surface to the right people quickly.
Except that (1) the NSA would probably ask for a backdoor that doesnât cause the target phone to ring continuously, and (2) Apple makes well over $100million a day in profit; if theyâre risking their entire business to provide criminal surveillance, itâs not because they were impressed by the amount of money offered.
This topic was automatically closed after 5 days. New replies are no longer allowed.
