Group FaceTime Bug Fix Included in iOS 12.2 Beta 3

The third beta of iOS 12.2, released to developers this morning, includes a fix for the Group FaceTime bug, which also reenables Group FaceTime on devices running the iOS 12.2 beta.

Apple addressed the Group FaceTime bug in the iOS 12.1.4 update released on February 7, but there has been no new iOS 12.2 beta until today, so the Group FaceTime feature has remained unavailable to iOS 12.2 users because the server has been offline.

Subscribe to the MacRumors YouTube channel for more videos.

The FaceTime bug allowed someone to spy on you without your permission or knowledge. By exploiting the bug, a person could initiate a Group FaceTime call with you and then add themselves to the call again to force a Group FaceTime connection, as demoed in the video below.


When the Group FaceTime connection was forced using this method, the bug caused the person to be able to hear the audio on your end, even if you did not answer the call. In fact, on your end, it would continue to look like the standard incoming FaceTime call interface. In some situations, if you pressed the side button to silence a call, it would even give the person access to your video.

Given the severity of the bug, Apple took its Group FaceTime server offline while preparing the iOS 12.1.4 update. Group FaceTime was reinstated on devices running iOS 12.1.4, but it does not work on iOS 12.2 beta 2 or devices with iOS 12.1.3 or earlier installed.

It should be noted that Group FaceTime is still somewhat broken following the update. In iOS 12.1.4, there is no option to add a person to a one on one Group FaceTime call because the "Add Person" button is grayed out. Group FaceTime calls need to be started with two or more people at the current time.

Other users have been unable to use Group FaceTime at all, and have had trouble adding additional people even during a call with more than one person. Apple is presumably working out these bugs and will have further fixes available in the future.

Related Roundup: iOS 12

This article, "Group FaceTime Bug Fix Included in iOS 12.2 Beta 3" first appeared on MacRumors.com

Discuss this article in our forums

Group FaceTime Still Partly Broken After Security Update, Apple Aware

A few weeks ago, Apple's Group FaceTime was discovered to have a major security flaw which potentially allowed users to listen in on others without their permission. The flaw was quickly publicized forcing Apple to shut down FaceTime servers temporarily while a patch was being created. A week later, Apple released iOS 12.1.4 which addressed the security issue and re-enabled Group FaceTime for those users.


Unfortunately, Group FaceTime even under iOS 12.1.4 hasn't quite been restored to its former functionality. A MacRumors forum thread started the day after 12.1.4's release revealed users who found themselves unable to add more users to a FaceTime call. As it turns out, it appears that users are no longer able to add a person to a one-on-one FaceTime call. The "Add Person" button remains greyed out and inactive in this situation. The only way to add another person to a Group FaceTime call at this time is to start the call with at least two other people. This slight distinction appears to be the source of confusion for many users.

MacRumors forum user Bob-K persisted in his support calls with Apple, and was finally told that the "Add Person" button not working in that situation was a known issue and that they didn't know when it would be fixed.

Apple Support on Twitter also appears to be aware of this restriction:

We were able to reproduce this issue, but it appears this workaround isn't entirely reliable as one user reported being unable to consistently add people even during a group call. A search of Twitter shows a number of users who believe that Group FaceTime remains disabled, though some users may simply be unaware of the iOS 12.1.4 update, or may be confused by the greyed "Add Person" button issue.

Apple is actively working on iOS 12.2 Beta which has not yet seen the addition of the patch for Group FaceTime, but we'd expect them to address the ongoing bugs in a later 12.2 beta release.


This article, "Group FaceTime Still Partly Broken After Security Update, Apple Aware" first appeared on MacRumors.com

Discuss this article in our forums

Texas Software Engineer Daven Morris Also Reported FaceTime Bug to Apple One Day Before it Made Headlines

In a support document outlining the security content of iOS 12.1.4, Apple credited both 14-year-old Grant Thompson of Catalina Foothills High School in Tucson, Arizona and Daven Morris of Arlington, Texas with reporting a major Group FaceTime bug to the company that allowed users to eavesdrop on others.


Thompson and his mother are widely known for being the first people to discover and report the bug to Apple, over a week before it made headlines on January 28, but nothing was known about Morris until now.

The Wall Street Journal today shared a few details about Morris, noting he is a 27-year-old software engineer who reported the bug to Apple on January 27, several days after the Thompsons but one day before it made headlines. He apparently discovered the bug a week earlier while planning a group trip with friends.


Apple on Thursday said it will compensate the Thompson family for finding and reporting the bug and make an additional gift toward Grant Thompson's education. Apple hasn't disclosed the exact sums of the donations. It's unclear if Morris will also be compensated by the company for reporting the bug.

In a statement issued to MacRumors, Apple apologized for the bug a second time and assured customers that it has been fixed in iOS 12.1.4, as has a previously unreported vulnerability in the Live Photos feature of FaceTime:
Today's software update fixes the security bug in Group FaceTime. We again apologize to our customers and we thank them for their patience. In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security. This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime. To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS.
Apple has reenabled its Group FaceTime servers, but the feature will remain permanently disabled on iOS 12.1 through iOS 12.1.3.

Widely publicized last month, the FaceTime bug allowed one person to call another person via FaceTime, slide up on the interface and enter their own phone number, and automatically gain access to audio from the other person's device without that person accepting the call. In some cases, even video was accessible.

We demonstrated the bug in a video at the time:


Apple already faces a lawsuit in Texas, a proposed class action lawsuit in Canada, questions from a U.S. Congress committee, and an investigation by New York officials over the bug and its serious privacy implications.


This article, "Texas Software Engineer Daven Morris Also Reported FaceTime Bug to Apple One Day Before it Made Headlines" first appeared on MacRumors.com

Discuss this article in our forums

Apple’s iOS 12.1.4 Update Also Fixes Live Photos Vulnerability, FaceTime Bug Reporter to Receive Bounty and Gift Toward Education

Following the release of iOS 12.1.4, Apple today issued an apology to customers and said that it had found and fixed the Group FaceTime bug and an additional security vulnerability involving Live Photos in the FaceTime app.


From a statement provided to MacRumors:
Today's software update fixes the security bug in Group FaceTime. We again apologize to our customers and we thank them for their patience. In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security. This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime. To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS."
Going forward, Apple says that the Live Photos feature will not be available in FaceTime on older versions of iOS and macOS. Capturing a Live Photo will require iOS 12.1.4 or the new version of macOS 10.14.3. Apple is also restricting Group FaceTime from devices running earlier versions of iOS.

Apple in a security document released this morning outlines the specific fixes that were implemented in iOS 12.1.4 and the macOS 10.14.3 supplemental update.

Apple fixed a logic issue that existed in the handling of Group FaceTime calls with improved state management, and the Group FaceTime testing led to the discovery of the Live Photos issue. Apple says that the Live Photos bug was fixed with "improved validation on the FaceTime server."

Additional Foundation and IOKit bugs were fixed in iOS as well, addressing memory corruption issues that could lead to elevated privileges for applications.

Apple lists Grant Thompson of Catalina Foothills High School as one of the people who discovered the FaceTime bug. Thompson and his mother made multiple attempts to get into contact with Apple to inform the company of the bug well ahead of when it went public. Daven Morris of Arlington, TX is also listed as a person who discovered the vulnerability and reported it to Apple.

Apple has apologized for missing those messages and has vowed to improve its bug reporting system to make sure future bug reports are distributed to the right people. Apple will be compensating the Thompson family for finding and reporting the bug, and Apple will be providing an additional scholarship to be put towards Thompson's education.

Related Roundup: iOS 12

This article, "Apple's iOS 12.1.4 Update Also Fixes Live Photos Vulnerability, FaceTime Bug Reporter to Receive Bounty and Gift Toward Education" first appeared on MacRumors.com

Discuss this article in our forums

iOS 12.1.4 Now Available With Group FaceTime Bug Fix

Apple today released a new iOS 12.1.4 update for the iPhone, iPad, and iPod touch, with the new software designed to fix an insidious privacy-invading Group FaceTime bug that could be exploited to eavesdrop on conversations.

The new iOS 12.1.4 software can be downloaded on all eligible devices over-the-air using the Settings app. To download it, go to Settings --> General --> Software update.

Subscribe to the MacRumors YouTube channel for more videos.

Though Apple's release notes for the update list "security updates" without going into specifics, the issue that's being fixed here is the Group FaceTime vulnerability. After the bug was widely publicized last week, Apple promised a fix, which was delayed to this week.

The FaceTime bug allowed someone to spy on you without your permission or knowledge. By exploiting the bug, a person could initiate a FaceTime call with you and then add themselves to the call again to force a Group FaceTime connection.

When this happened, the bug caused the person to be able to hear the audio on your end, despite the fact that the call was never answered and still looked like a standard FaceTime incoming call interface. In some situations, if you pressed the side button to silence a call, it would even give the person access to your video.

It was a serious bug, so serious that Apple took its entire Group FaceTime server offline as the company took the time to prepare the iOS 12.1.4 update. The Group FaceTime bug was publicized last Monday and Group FaceTime has been offline since then.

The Group FaceTime bug may have required some major under-the-hood changes to FaceTime given that it took Apple nearly two weeks to fix the issue. Following today's update, the Group FaceTime bug will no longer be able to be exploited and Apple will be able to bring its Group FaceTime server back online.

It continues to be unclear just how long the Group FaceTime bug was available for. Group FaceTime was introduced last October, and Apple has not let us know if the bug has been around since that launch date or if it was introduced in a later iOS 12 update.

Related Roundup: iOS 12

This article, "iOS 12.1.4 Now Available With Group FaceTime Bug Fix" first appeared on MacRumors.com

Discuss this article in our forums

Apple Fixing FaceTime Eavesdropping Bug in iOS 12.1.4 Update Coming Today

Apple is today releasing an updated version of iOS 12.1.4, which is designed to address a major FaceTime bug that was widely publicized last Monday. The new update comes two weeks after the launch of iOS 12.1.3, an update that introduced bug fixes.

The iOS 12.1.4 update will be available on all eligible devices over-the-air in the Settings app. To access the update, go to Settings --> General --> Software Update. Apple typically releases new iOS software at 10:00 a.m. Pacific Time or 1:00 p.m. Eastern Time, so that's when the update should become available.

Subscribe to the MacRumors YouTube channel for more videos.

With this update, Apple is fixing an insidious FaceTime bug that could allow someone to spy on you without your permission or knowledge. By exploiting this bug, someone could force a FaceTime call with you, giving them access to your iPhone, iPad, or Mac's audio or video even without you accepting the FaceTime call.

To do this, all someone needed to do was initiate a FaceTime call with you and then add their own phone number to the FaceTime call to convert it to a Group FaceTime call, which, apparently, forces a FaceTime connection.

From there, the person would be able to hear your audio, even though on your end, it would look like the call hadn't been accepted. If you hit the power button to make the call go away, it would give the person access to your camera.

In our testing, the bug was able to be initiated on iPhones running both iOS 12.2 and iOS 12.1.3, and it affected iPhones, Macs, and iPads running the latest version of Apple's software.

Shortly after the bug was publicized last Monday, Apple said that it was aware of the issue and was already working on a fix set to be released later in the week, which was later delayed until this week. Apple also temporarily made Group FaceTime unavailable by taking the server offline, which put a stop to the bug. Going forward, Group FaceTime will only be available on devices running iOS 12.1.4 or later.

With today's update, the FaceTime bug will no longer be able to be exploited, though it remains unclear if it has been available for use since Group FaceTime launched in October last year or if it became an issue in a later software update.

Related Roundup: iOS 12

This article, "Apple Fixing FaceTime Eavesdropping Bug in iOS 12.1.4 Update Coming Today" first appeared on MacRumors.com

Discuss this article in our forums

U.S. Committee Sends Letter to Tim Cook Asking for Answers About Group FaceTime Eavesdropping Flaw

The U.S. Committee on Energy & Commerce is now seeking answers from Apple over the Group FaceTime flaw that allowed people to eavesdrop on conversations.

Energy and Commerce Chairman Frank Pallone Jr. (D-NJ) and Consumer Protection and Commerce Subcommittee Chairwoman Jan Schakowsky (D-IL) today sent a letter [PDF] to Apple CEO Tim Cook questioning the company about how long it took Apple to address the Group FaceTime flaw, the extent to which the flaw compromised consumer privacy, and whether there are other undisclosed bugs in existence.

"While these are wonderful tools when used right, the serious privacy issue with Group FaceTime demonstrates how these devices can also become the ultimate spying machines. That is why it is critical that companies like Apple are held to the highest standards," Pallone and Schakowsky wrote to Cook. "Your company and others must proactively ensure devices and applications protect consumer privacy, immediately act when a vulnerability is identified, and address any harm caused when you fail to meet your obligations to consumers."
The two representatives ask Apple to be transparent about the investigation into the Group FaceTime vulnerability, and the steps that are being taken to protect consumer privacy going forward. Apple has not been as transparent as "this serious issue requires," according to the letter.

Pallone and Schakowsky ask Apple a number of key questions, including the following:

  • When did your company first identify the Group FaceTime vulnerability that enabled individuals to access the camera and microphone of devices before accepting a FaceTime call? Did your company identify the vulnerability before being notified by Mr. Thompson's mother?

  • Did any other customer notify Apple of the vulnerability?

  • Please provide a timeline of exactly what steps were taken and when they were taken to address the vulnerability after it was initially identified.

  • What steps are being taken to identify which FaceTime users' privacy interests were violated using the vulnerability? Does Apple intend to notify and compensate those consumers for the violation?

  • When will Apple provide notification to affected consumers?

  • Are there other vulnerabilities in Apple devices and applications that currently or potentially could result in unauthorized access to microphones and/or cameras?

Apple CEO Tim Cook will be expected to provide answers to the questions provided in the letter.

The FaceTime vulnerability came to light last Monday after details spread across social media and news sites quickly picked it up. The bug allowed a person to force a FaceTime call with another person, giving them access to the audio (and sometimes video) from an iPhone, iPad, or Mac without the person ever accepting the FaceTime call.

Apple disabled Group FaceTime on its servers to prevent the bug from being used, and the company is still working on an iOS 12.1.4 update that we are expecting to see this week.

Subscribe to the MacRumors YouTube channel for more videos.

While Apple addressed the bug after it went viral on social media, the company was informed of the issue at least a week before when a teenager discovered it and his mother attempted to contact Apple. Though she sent in multiple reports, they did not go to the right people, and Apple has since apologized and said it is committed to improving the bug reporting process.

Apple is already facing a lawsuit over the Group FaceTime issue and New York officials are also investigating.


This article, "U.S. Committee Sends Letter to Tim Cook Asking for Answers About Group FaceTime Eavesdropping Flaw" first appeared on MacRumors.com

Discuss this article in our forums

Group FaceTime Will Remain Permanently Disabled on iOS 12.1.3 and Earlier

Apple today issued an apology for its major FaceTime security bug that allowed for eavesdropping on calls.


"We have fixed the Group FaceTime security bug on Apple's servers and we will issue a software update to re-enable the feature for users next week," said Apple in a statement issued to MacRumors and other media outlets.

For absolute clarity, we've since confirmed that this means Group FaceTime will remain permanently disabled on iOS 12.1 through iOS 12.1.3. To access Group FaceTime, users will need to update their iPhone, iPad, or iPod touch to a software update coming next week that is likely to be iOS 12.1.4.

Apple disabled Group FaceTime within hours of the bug making headlines, instantly preventing the bug from working.

Widely publicized on Monday, the FaceTime bug allowed one person to call another person via FaceTime, slide up on the interface and enter their own phone number, and automatically gain access to audio from the other person's device without that person accepting the call. In some cases, even video was accessible.


Apple's full statement issued to MacRumors:
We have fixed the Group FaceTime security bug on Apple's servers and we will issue a software update to re-enable the feature for users next week. We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone's patience as we complete this process.

We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix. We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible. We take the security of our products extremely seriously and we are committed to continuing to earn the trust Apple customers place in us.
The bug will presumably be fixed in a subsequent iOS 12.2 beta as well.

Group FaceTime debuted with iOS 12.1 in October.

Related Roundup: iOS 12

This article, "Group FaceTime Will Remain Permanently Disabled on iOS 12.1.3 and Earlier" first appeared on MacRumors.com

Discuss this article in our forums

Apple Apologizes About FaceTime Bug, Software Update With Fix Delayed Until Next Week


Apple issued the following statement to MacRumors today in which it apologized for a major FaceTime eavesdropping bug:
We have fixed the Group FaceTime security bug on Apple's servers and we will issue a software update to re-enable the feature for users next week. We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone's patience as we complete this process.

We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix. We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible. We take the security of our products extremely seriously and we are committed to continuing to earn the trust Apple customers place in us.
Widely publicized on Monday, the FaceTime bug allowed one person to call another person via FaceTime, slide up on the interface and enter their own phone number, and automatically gain access to audio from the other person's device without that person accepting the call. In some cases, even video was accessible.

We demonstrated the bug in a video earlier this week:


Apple disabled Group FaceTime as a temporary server-side solution, preventing the bug from working any longer. Apple is also working on a software update with a permanent fix that it originally said would be available this week, but it has been delayed until next week, according to Apple's statement.

Apple thanked the Thompson family for reporting the bug—supposedly over a week before it made headlines—and said it is committed to improving the process by which it receives and escalate these reports in order to quash bugs faster.

Apple already faces a lawsuit in Texas and a proposed class action lawsuit in Canada over the bug. Given the serious privacy implications involved, it is certainly possible there will be more class action lawsuits to come.


This article, "Apple Apologizes About FaceTime Bug, Software Update With Fix Delayed Until Next Week" first appeared on MacRumors.com

Discuss this article in our forums

Apple’s iOS 12.1.4 Update to Fix FaceTime Eavesdropping Bug Showing Up in Analytics

Apple's upcoming fix for the FaceTime eavesdropping bug that was discovered on Monday will come in the form of an iOS 12.1.4 update, according to MacRumors analytics data.

We began seeing a handful of visits from devices running an iOS 12.1.4 update on January 29, the day after the bug was widely publicized and spread across the internet.


Apple on Monday said that a software fix for the issue would come "later this week," but now that it's Thursday, there's not a lot of time left. Apple could still release the update later today, but if not, Friday morning is the likely target launch date.

The FaceTime eavesdropping bug allowed iPhone users to exploit a privacy-invading Group FaceTime flaw that let one person connect to another person and hear conversations (and see video, in some cases) without the other person ever having accepted the call.

The FaceTime bug in action

Apple has put a stop to the FaceTime bug by disabling Group FaceTime server side, leaving the feature unavailable, but questions remain about how long the bug was accessible and how long Apple knew about it before attempting a fix.

The mother of the teenager who originally discovered the bug shared convincing evidence that she contacted the Cupertino company as early as January 20. She did not receive a response from Apple despite sending emails and a video.

It's not clear, therefore, when the right team at Apple learned of the bug and when work on a fix was started. We did not see signs of iOS 12.1.4 in our analytics data prior to January 29, but it's possible Apple was working on a fix earlier than that.

The multi-day wait for an official solution to perhaps one of the worst Apple-related privacy bugs we've seen, however, does suggest that development on iOS 12.1.4 did not start too far ahead of when the bug went public.

Related Roundup: iOS 12

This article, "Apple's iOS 12.1.4 Update to Fix FaceTime Eavesdropping Bug Showing Up in Analytics" first appeared on MacRumors.com

Discuss this article in our forums