Apple has finally released an iOS update that should fully patch the Group FaceTime vulnerability that could have been exploited to spy on users through their device’s microphone and camera.
Apple described the flaw, tracked as CVE-2019-6223, as a logic issue in the handling of Group FaceTime calls. The company says the problem has been addressed with “improved state management.”
The bug allowed an attacker to spy on FaceTime users by calling the targeted user and adding the attacker’s own number to a group chat. While the hacker could hear and possibly even see the victim, on the victim’s side it appeared as if the call still hadn’t been answered.
Interestingly, Apple has credited both Grant Thompson, a 14-year-old from Arizona, and Daven Morris, or Arlington, Texas, for reporting the vulnerability.
Thompson and his mother attempted to report the findings to Apple more than 10 days before details of the bug became public, but their attempts were ignored by the tech giant. Apple admitted that it dropped the ball in this case and promised to improve its vulnerability reporting process. It has also promised to pay Thompson a bug bounty, but it’s unclear if Morris will receive a bounty as well.
Apple disabled the Group FaceTime feature after learning of the flaw’s existence. It then implemented a server-side fix and now it has released updates for both iOS and macOS Mojave to fully address the issue. The Group FaceTime service has now been restored.
The iOS update (version 12.1.4) also patches two privilege escalation and code execution vulnerabilities that Google says have been exploited in the wild. One of these flaws has also been resolved in macOS Mojave.
While investigating the FaceTime bug, Apple also discovered an issue related to the Live Photos feature in FaceTime. The flaw, tracked as CVE-2019-7288, has been patched through “improved validation on the FaceTime server.”
The FaceTime bug has caused a lot of problems for Apple. A lawyer from Texas has filed a lawsuit against the company, claiming that the vulnerability was exploited to record a client’s private deposition.