
A teenager found Apple's FaceTime bug – and why it was so hard to report it - minimaxir
https://www.nbcnews.com/tech/security/how-teenage-fortnite-player-found-apple-s-facetime-bug-why-n963961
======
joshstrange
> Benjamin Mayo, the app developer and blogger who broke the story for
> 9to5Mac, said that he did see Thompson's tweet after his article was
> published but that she did not have anything to do with his reporting.

So Benjamin Mayo found this bug separately? I'm always astounded when you have
2 entities both tracking down the same bug at the same time. I think the same
thing happened with Meltdown/Spectrum IIRC?

Also it seems like contacting someone like 9to5Mac in the first place would
have been a far better option than mentioning @foxnews in a tweet...

~~~
bitxbitxbitcoin
I'm frankly not that surprised that in this day and political/social media age
that a teen would think that tweeting @foxnews is a viable way to get breaking
news out.

~~~
_Schizotypy
I thought it was the teen's mother, who may be an attorney

~~~
joshstrange
Yeah, I read it as the mother as well. And it talks about how she got a
developer account to try to contact them? I guess maybe I understand that,
somewhat?

I don't know, it just feels like yeah they tried a lot of ways to contact
apple but maybe not the right ones. I mean look:

> Thompson provided emails to NBC News that showed her efforts to contact
> Apple, including an Apple representative who directed her to the company's
> "bug reporter" program and bug bounty program.

Apple told her to look at the bounty program but the article doesn't say she
followed up so I'm guessing she didn't. Regular customer service aren't
equipped to deal security holes/bugs so I would expect this response.

So yeah... I mean this whole article is about all the things she tried and how
they didn't work but she didn't really try any of the right ways. The FIRST
google result for "report ios security hole" is a link to Apple with the title
"Contact Apple About Security Issues" [0] with the line:

> To report security or privacy issues that affect Apple products or web
> servers, please contact product-security@apple.com.

[0] [https://support.apple.com/en-us/HT201220](https://support.apple.com/en-
us/HT201220)

~~~
jrochkind1
The NYT article ([https://www.nytimes.com/2019/01/29/technology/facetime-
glitc...](https://www.nytimes.com/2019/01/29/technology/facetime-glitch-
apple.html)) says:

> His mother, Michele Thompson, sent a video of the hack to Apple the next
> day, warning the company of a “major security flaw” that exposed millions of
> iPhone users to eavesdropping. When she didn’t hear from Apple Support, she
> exhausted every other avenue she could, including emailing and faxing
> Apple’s security team, and posting to Twitter and Facebook. On Friday,
> Apple’s product security team encouraged Ms. Thompson, a lawyer, to set up a
> developer account to send a formal bug report

~~~
joshstrange
Dear god... Come on Apple, if that's all true that's pretty stupid/shitty of
Apple. I guess maybe anyone filling bug bounty reports probably has a
developer account so it's not a big deal? Also it's not clear if they mean a
paid account or a free one. I'm guessing they just needed a way to let her
submit the issue and open a dialog via their existing tools and workflows but
maybe I'm being too generous to Apple.

~~~
jrochkind1
I mean, I'm sure that's what they were thinking.

The fact remains that they have no suitable process for a non-developer to
give them a vulnerability report that they pay attention to. She seems to have
tried really hard, without having the background to know the 'right' way.

You gotta have a way for people who don't know the 'right' way to submit and
have it get somewhere, right? Without having to try really hard. They're doing
you a favor.

> To report security or privacy issues that affect Apple products or web
> servers, please contact product-security@apple.com

You think "emailing apple's security team", which the NYT says she did, was
emailing that address? I'm guessing it was, and apparently it didn't actually
result in anyone paying attention. The email address they advertise as being
the place to report security issues....

If they actually want/need people to create developer accounts and use a tool
there, maybe they should say that and not give an email address apparently
nobody pays attention to...

------
eecsninja
Not to defend Apple, but I wonder how many bug reports they get from tech-
illiterate people who think something is broken or a bug when it's working as
intended, or is the result of operator error. If there's a lot of those
reports, the real bugs can get lost in the noise real quick.

