
Apple was warned about the FaceTime eavesdropping bug last week - josu
https://www.theverge.com/2019/1/29/18202398/apple-facetime-bug-warned-eavesdropping
======
benologist
It's somehow never the tech companies' fault for willfully designing inept
feedback channels or even null-routed feedback channels in Google's case to
impede customers communicating with them. I think many companies, especially
given $200b in savings, could have handled this report better. Many companies
without $200b can receive information from a customer without it passing
through journalists first.

What's especially pathetic is it doesn't matter what you're reporting - a
grave security bug, a widespread hardware flaw, a longing for better
functionality - Apple doesn't _want_ to know. In fact they warned iOS
developers against _trying to get their attention_.

    
    
         If you run to the press and trash us, it never helps.
    

[https://medium.com/@krave/apple-s-app-store-review-
process-i...](https://medium.com/@krave/apple-s-app-store-review-process-is-
hurting-users-but-we-re-not-allowed-to-talk-about-it-55d791451b)

~~~
tome
That Medium article presents the quotation as though it's literally something
that Apple wrote. It doesn't actually appear to on the page it supposedly came
from, nor anything like it, as far as I can see.

[https://developer.apple.com/app-
store/review/guidelines/](https://developer.apple.com/app-
store/review/guidelines/)

[EDIT: Apple indeed literally write that in a previous version of the page.
Wow.]

~~~
itdaniher
It's visible verbatim in an archived version of the page. See:

[https://web.archive.org/web/20141226094343/https://developer...](https://web.archive.org/web/20141226094343/https://developer.apple.com/app-
store/review/guidelines/)

------
jm20
I can only imagine the amount of bug reports, real and false, that a company
of Apple's size must receive on a daily basis. Is there any company at that
scale that can reliably filter through all of them to find actual, critical
bugs quickly?

It simply isn't as easy as saying 'flag all reports with 'security
vulnerability' in the submission for priority.' That could still be thousands
of reports in the 'priority' queue, most of which some person would need to
manually investigate one by one.

~~~
sgentle
If you are able to perform the following steps for any of Amazon, Google,
Facebook, Netflix, Microsoft or Twitter, I will literally eat a hat (you may
choose what kind):

1\. Discover an easily exploitable vulnerability that allows access to a
chosen user's private data

2\. Email their security address about it

3\. Tweet at them about it

4\. _Fax them_ about it

5\. A week later the vulnerability is still exploitable

You do not have to play fair. You're allowed to impersonate a suburban mom or
a grandpa who's not good with technology. You're allowed to ramble or use
vague and non-technical terms as long as a reasonably qualified person could
determine what the vulnerability is. Specifically, it is _not_ required that
you include relevant product versions, steps to reproduce, a full reproduction
video, or a one-sentence impact summary like "a caller can eavesdrop on the
recipient of a Group Facetime call without their knowledge or consent".

There's no apologising this away. The vulnerability was already a monumental
fuckup, but this detail propels it into the realm of cultural dysfunction. It
should not be possible to fail this badly. If you put listening devices in
people's pockets, you need to hold yourself to a higher standard than "I
dunno, bug reporting is hard".

~~~
Tepix
There have been numerous examples in the past where companies like Microsoft
have taken _way_ longer than one week to fix serious vulnerabilities. What
makes you so confident you won't be eating a lot of hats?

~~~
iamaelephant
Are any of these examples in recent history, in software terms? Software
culture, especially with regards to security, has come a long, long way since
the bad old days. I agree with the parent comment. This is not acceptable in
2019.

Can you point to any of these numerous examples?

~~~
coldtea
> _Are any of these examples in recent history, in software terms?_

Yes.

~~~
Humdeee
Is there a reason why the rest of the parent comment was left unaddressed? The
implication was to provide such examples. I'm also curious to hear.

~~~
coldtea
Several such cases are made public every year.

Here's one:

[https://www.zdnet.com/article/microsoft-jet-vulnerability-
st...](https://www.zdnet.com/article/microsoft-jet-vulnerability-still-open-
to-attacks-despite-recent-patch/)

"The vulnerability came to light in mid-September after the Trend Micro Zero-
Day Initiative (ZDI) posted details about it on its site. ZDI said Microsoft
had failed to patch the flaw in due time and they decided to make the issue
public, so users and companies could take actions to protect themselves
against any exploitation attempts."

Or how about this?

"Google Admin, one of Android’s system-level apps, may accept URLs from other
apps and, as it turned to be, any URLs would be fine, even those starting with
‘file://’. As a result, a simple networking stuff like downloading web pages
starts to evolve into a whole file manager kind of thing. Aren’t all Android
apps isolated from each other? Heck no, Google Admin enjoys higher privileges,
and by luring it into reading some rogue URL, an app can escape sandbox and
access private data. How was that patched? First, allow me to brief you on the
way independent researched disclosed the vulnerability. It was discovered as
far back as March, with a corresponding report submitted to Goggle. Five
months later, the researchers once again checked out what was going on only to
find the bug remained unpatched. On the 13th of August the information on the
bug was publicly disclosed, prompting Google to finally issue the patch."

[https://www.kaspersky.com/blog/security-
week-34/9637/](https://www.kaspersky.com/blog/security-week-34/9637/)

------
markonen
Years ago my team and I discovered a pretty significant bug in
Safari's/CFNetworking's TLS implementation. Once the browser had deemed a
certificate valid once, it would subsequently accept it for all hostnames. We
got absolutely nowhere with Apple's official security contacts. The issue only
got resolved months later, after I was able to find an employee from their
security team at WWDC and explain the issue face to face.

~~~
jackson1way
Care to tell how it went? Did he have an expanation why the process was so
crappy? Did hebmaybe even knew about your bug report but was unable
tonfonsomething sbout it because of some beaurocracy?

~~~
markonen
We did not have any visibility into the process. Overall I think they just
didn’t see it as that big of a deal, definitely not big enough to change
release schedules for. This got assigned a CVSS score of 6.8, so not Critical
or even High severity. Still feels pretty severe to me, but I guess that’s how
everyone who discovers an issue like this would feel…

------
FactolSarin
When I saw the headline, I assumed it was a situation where someone had
emailed the wrong address or only tried to contact them via Twitter. But upon
reading the article I see this is a high-quality report. She was sounding
alarms and emailing all the right people. It's is insane that Apple missed
this.

I think at this point, we need Tim Cook to write an apology piece about how
they screwed up, how this won't happen again, and who got fired.

~~~
jdavis703
We also need some kind of hardware indicator like a light that indicates when
the mic or camera are turned on. After a blunder like this, a privacy-focused
needs to rebuild trust that they take privacy seriously.

~~~
judge2020
there already is one when an app is still listening to your microphone in the
background, a giant red bar at the top of the screen. The difference with this
bug is that the facetime call pre-initializes microphone and video to reduce
the initial connection delay.

~~~
jdavis703
Right, I don’t want something in the software which is what happens today. I
want a hardware indicator, that should in theory be harder to break or hack
(and should make this kind of bug more obvious to a QA team and the general
public).

------
osrec
Not turning out to be a great week for Apple. Even if they do receive a large
number of bug reports, I would like to think they have the resources (let's
face it, they're not cash-strapped) to resolve something as critical and
privacy-focused as this. Their failure to do so makes a mockery of their users
who pay a significant premium for their products, often in the name of
privacy.

------
webmobdev
What is happening with Apple - people used to justify the high cost of Apple
devices claiming they paid for the "high quality". But now ... First the "bug"
that allowed root access on macOS and now this "bug" that literally allowed
anyone to spy on you through your iPhone? Not to speak of iPads / iPhones that
bend, ios throttling due to weak batteries etc. etc.

Something is quite wrong ...

~~~
SmellyGeekBoy
I'm no Steve Jobs fan or Apple apologist but it seems obvious enough - Jobs
was the force driving the company forward and now the momentum he created is
finally starting to wear off. I really hope they can get their shit together
sooner or later as they still seem the best of a bad bunch wrt privacy - at
least for now.

------
dang
[https://news.ycombinator.com/item?id=19029594](https://news.ycombinator.com/item?id=19029594)
is another article on this. Also
[https://news.ycombinator.com/item?id=19029548](https://news.ycombinator.com/item?id=19029548).

~~~
josu
I submitted it before those 2 articles, but it got lost on new. It got
resubmitted by the admin, who sent me this email:

We thought you might like to know that we put
[https://news.ycombinator.com/item?id=19029573](https://news.ycombinator.com/item?id=19029573)
in the second-chance pool, so it will get a random placement on the front page
sometime in the next 24 hours.

This is part of an experiment in giving good HN submissions multiple chances
at the front page. If you're curious, you can read about it at
[https://news.ycombinator.com/item?id=11662380](https://news.ycombinator.com/item?id=11662380)
and other links there.

~~~
dang
Yup, that was me. When we merge threads, we try to favor the earliest
submission. Eventually we're hoping to have some kind of karma sharing so it
isn't such a lottery.

~~~
flurdy
I submitted the WSJ story only 2 minutes before Josu's original The Verge
submission. Josu' submission was just above mine on the "new" page, so when I
clicked on it and read the Verge article I realised it was a better article
than the one I submitted. (and not paywalled)

My first comment on my own submission was for people to look at the other
article as well/instead.

Karma sharing sounds nice, but in the end, I just want people to read the
better article.

~~~
dang
You're right! Yours was earlier. Either I didn't notice that or I saw your
comment or I decided the other article was better... can't remember.

Thanks for caring about the quality of HN. That's what matters.

------
ninedays
People who thinks that what happened is unacceptable needs to understand that
Apple must receive a lot of these types of call every week. What would you do
if someone send you multiple messages saying that they found a major issue
_without even detailling anything_ while this person actually wants you to
give them money for what they found (that they still haven't disclosed any
information about it)? I'm sure the majority would ignore these calls unless
some details were shared about the issue.

I am not surprised about what happened at all. There is an argument that can
be made about the fact that it took Apple so many years to finally implement
group video call that they could take a little bit of time to do it right but
other than that, I don't see how Apple could have prevented a bug that a
person wasn't willing to disclose without having money first.

~~~
LfLxfxxLxfxx
The actual tip:
[https://pbs.twimg.com/media/DyGIwiHVYAAJaxH.jpg](https://pbs.twimg.com/media/DyGIwiHVYAAJaxH.jpg)

You don't see this kind of stuff every week, and surely Apple has the
resources to at least confirm it.

~~~
zymhan
You're telling me some random customer wrote _THAT_ writeup? That's
impressive.

~~~
sangnoir
Random _lawyer_ \- turns out the ability to describe things in clear,
unambiguous language and in detail results in pretty high quality bug reports.

------
romeisendcoming
Another product stream and company (and hype) I was never a fan of. Best thing
they did was to rip off FreeBSD and the worst was break *nix compliant
userspace + influence design UX and UI patterns for a new generation.

------
pantulis
There has been recently some activity here in HN regarding formal model
checking and protocol verification (TLA+, SPIN, Promela...) I guess they are
relevant to this case.

This stuff is hard.

------
qrbLPHiKpiux
That letter from the lawyer to Apple is quite inflammatory.

~~~
auiya
How so?

------
renholder
Maybe I'm just too old and contankerious and just don't "get it" but warning
Apple via Twitter[0] isn't really following a Coordinated Vulnerability
Disclosure process, yeah?

[0] -
[https://resources.sei.cmu.edu/asset_files/SpecialReport/2017...](https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf)

EDIT: Changed the link to the CERT guide for CVD.

~~~
ibero
Reading that website you provided, the mother was correct to hit up twitter as
they suggest that "Customers" contact Apple Support. Their twitter is an
official channel to that end.

The only area in that document she would have followed to reach out Apple's
security contact is under the heading of "Security and privacy researchers",
of which I am doubting she thought herself or her 14 year old son as.

~~~
renholder
>...of which I am doubting she thought herself or her 14 year old son as.

Yet, that[0] is precisely what she did...? Your argument falls on it's face by
her own action[s].

EDIT: Note in the screenshot that there's an appended "Follow-Up" with what
looks to be an ID, which has been added to the Subject field of the email.

[0] - [https://cdn.vox-
cdn.com/thumbor/zrezAXK0-NdK3ugN3G2Uwd_vzuo=...](https://cdn.vox-
cdn.com/thumbor/zrezAXK0-NdK3ugN3G2Uwd_vzuo=/0x0:1672x806/920x0/filters:focal\(0x0:1672x806\):no_upscale\(\)/cdn.vox-
cdn.com/uploads/chorus_asset/file/13723266/Screen_Shot_2019_01_29_at_2.07.07_PM.png)

------
a-dub
from petaluma to kankakee! finding bugs in the internet of shitty things! the
latest craze to sweep the nation!

------
jachee
How many other hundreds-of-billions-of-dollars companies could produce a
production code fix faster?

~~~
briandear
It should only take a few minutes if you’re the average HN commentator.

~~~
olliej
A HN commentator would never have made such a big in the first place. Duh. :D

~~~
olliej
Follow up, would it be “an HN” or “a HN”? eg hatche-en or atche-n or hacker?

As before I’m sure the worlds greatest linguist will also be here :)

~~~
howenterprisey
Probably "an HN", as saying the letter "H" sounds like "ayy-ch" (in American
pronunciation, at least), which has an initial vowel sound.

~~~
olliej
Right, but when I tried saying it in my head it seemed weird because my brains
turn it into “an hacker news” :)

