A Bug in FaceTime Allows One To Access Someone's iPhone Camera And Microphone Before They Answered the Call; Apple Temporarily Disables Group FaceTime Feature

Social media sites lit up today with anxious Apple users after a strange glitch in iPhone's FaceTime app became apparent. The issue: It turns out that an iPhone user can call another iPhone user and listen in on -- and access live video feed of -- that person's conversations through the device's microphone and camera -- even if the recipient does not answer the call. In a statement, Apple said it was aware of the bug and was working to release a fix later this week. In the meanwhile, the company has disabled Group calling functionality on FaceTime app. From a report: The issue was so serious that Twitter CEO Jack Dorsey, and even Andrew Cuomo, governor of the state of New York, weighed in and urged their followers to disable FaceTime. [...] That's bad news for a company that's been vocal about privacy and customer data protection lately. The timing couldn't be worse, given that Apple is set to host its earnings call for the October-December quarter of 2018 in just a matter of hours.

Re:How did this happen?

As I understand it, it works like this: You call someone you want to snoop on. Then, when they don't answer, you make it a group call by saying "add member" and then add yourself. (Why are you allowed to do this? I don't know.) At this point it switches to "group" mode and now the other person is suddenly in the group call, transmitting video and audio, without ever having picked up. Presumably it would also work if you added someone else to make it a group call, but the demo I saw just added themselves.

As for how it happened, Apple missed releasing the "group FaceTime" feature when iOS 12 launched and had to delay it. Apparently they didn't delay it enough - I'm assuming they were rushing to fix whatever was holding it back, and they missed that you could force people into group calls. (I'm also unclear on if you can spy on even more people by adding them all to your new group call.)

Re: How did this happen?

[c6gunner]

It sucks but it could be worse - you could have an Android phone that will never get any security fixes.

Err. This is an application. You understand that applications and the OS are two different things, right?

Re:Programmers that are trying to make things work

For decades one of the most popular sayings in programming was "garbage in, garbage out". That's no longer an acceptable way of thinking. That garbage that comes out, random bytes from RAM, can include your private key. Once your application is on the internet, it has to be "garbage is the default thing I'm expecting, and leads to DENIED out. Only if input exactly matches the specification will you get anything out". It's a different way of thinking.

I think you are completely misunderstanding what "garbage in, garbage out" means. It never ever means "output random bytes from RAM". It means that if you mean to ask a program for the function of a perfectly valid input but accidentally give it a completely different but perfectly valid input, then the program responds with the function of the input you ACTUALLY gave it rather than the one you intended.

What you're claiming (as opposed to what you're intending to claim) is that if I take a calculator and type in sqrt(82) it should display "DENIED" because the calculator should somehow just know that I had meant to type sqrt(28).

It sounds like you are referring to the concept of "undefined behaviour", which is unrelated to GIGO.