Apple was slow to act on FaceTime bug report, which came from mother of 14 year old who found it


#1

Originally published at: https://boingboing.net/2019/01/29/apple-oops.html

Go get a developer account and send us a formal bug report, Apple reportedly told them.


#2

I have to say, I kind of like how they are calling this the Facepalm bug. Because really…


#3

Ms. Thompson and her son clearly know what they are talking about. I initially assumed here name must be “Tables”.


#4

That is not the part that seems like a problem to me. For companies with more than one employee, having a formal process to report vulnerabilities is absolutely the right way to do it, because otherwise there is very little chance that the right people would hear about it or have the details they need. There’s no clear distinction between a vulnerability and a bug, and it would be a mistake to rely on outside parties to correctly make the distinction, so submitting vulnerabilities through the bug tracker also makes sense.

What is troubling is the time they took, or at least appeared to take. Whatever they said publicly – and I wouldn’t expect any company, let alone Apple, to give a running Twitter commentary on active security issues – internally they should have recognised the size of the problem the same day, and escalated it to someone with the authority and wherewithal to disable group calling as soon as they knew that would mitigate the problem. The only thing we actually know is that it took them 8 days, and that certainly sounds like a long time for this particular fix.

In general though, bugs can easily take a lot longer than that to fix, which is why a security researcher would rightly be blasted for posting this on social media the same day they told Apple about it. You can’t expect a general-purpose mom to be aware of responsible disclosure practices of course, but this story probably wouldn’t have blown up if the vulnerability hadn’t been discovered by a non-hacker (which is extremely unusual).


#5

Bah! You expect Apple to pull developers away from creating awesome new features to fix a bug!?! Apple didn’t become one of the planet’s most valuable companies by fixing things, they just make things shiny!


#6

Why are people pretending that Apple sat on this or covered it up? This person notified an entry-level person at Apple Support and it made it all the way to the top in just one week! Most bugs take much longer to handle, and most support calls like this turn out to be user error.

This is a serious bug and demands immediate attention, and arguably should’ve been caught way before a random user discovered it. However, one week response time is way faster than you would expect, not slower. The NY Times author should realize that if they regularly report on the tech industry. This was not hidden or lied about. It just takes time for a bug report to go from a first-level support tech all the way to the development team.


#7

“You’re reporting bugs wrong.” -Apple


#8

“One weird bug! Discovered by a mom! Apple HATES her!”


#9

Paying $99 for an Apple Developers Account for the right to report a bug does seem a bit problematic.


#10

It’s been possible to get a developer account without paying for some years


#11

So what ‘rewards’ were the 14 y.o. and his mom given, aside from internet kudos for finding the bug and bringing it to Apple’s attention? “Thanks for pointing this out, now go away.”


#12

many companies have a bug bounty program, not sure if apple is one of them, doesn’t seem their style.

You can get a basic developers account for free. you only have to pay if you want to sell an app on the store.


#13

D’oh. Didn’t know that. You saved me $99 for next year.


#14

That’s not a bug It’s a feature. Can you imagine how much Apple made selling this feature to Law Enforcement and Espionage agencies? Just think of the money and time they save not needing to install a surveillance device or get a court order to listen in on you. Now that Apple has lost that revenue stream I can guarantee you the next generation iPhone will be more expensive.


#15

When you have a company as big as Apple the probably gets thousands of reports a day the vast majority of which are bogus or not real issues it can be hard for the big issues to surface to the right people quickly.


#16

Except that (1) the NSA would probably ask for a backdoor that doesn’t cause the target phone to ring continuously, and (2) Apple makes well over $100million a day in profit; if they’re risking their entire business to provide criminal surveillance, it’s not because they were impressed by the amount of money offered.


closed #17

This topic was automatically closed after 5 days. New replies are no longer allowed.