After a 10-day delay, Apple has finally started to roll out the iOS 12.1.4 update that brings a fix for the FaceTime bug which let a user discreetly listen in on people's conversations when the call hasn’t even been answered by the receiver. Along with the iOS update, the Cupertino-based giant also announced that it will compensate 14-year-old Grant Thompson and his family who reported the bug to the company. Apple also announced an additional gift to fund the kid’s education.
What’s the issue?
To start a FaceTime group call, you need to add multiple receivers. It sometimes happens that one of the receivers hasn’t answered the FaceTime call. The bug allowed one to hear the audio of the person who was called, even if he/she did not accepted the call. In this scenario, even if the receiver of the call presses the power button to mute the call, his/her audio will be audible to the caller. This bug enabled them to listen in on the conversation as long as the phone is ringing.
“Today's software update fixes the security bug in Group FaceTime. We again apologize to our customers and we thank them for their patience. In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime app and server to improve security. This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime. To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos features of FaceTime for older versions of iOS and macOS,” Apple said in a statement.
Apple was also sued by a Houston based lawyer, who claimed that his iPhone allowed an unknown person to eavesdrop on a private conversation with a client. One attorney Larry Williams II said the glitch intrudes on the privacy of “one’s most intimate conversations without consent”. The attorney sought “unspecified punitive damages on his claims of negligence, product liability, and warranty breach”.
Apple told Apple’s history with bug bounty rewards is mixed. The company originally started paying iOS bounties three years ago, but researchers have been reluctant to help Apple with its security. Apple offers up to $200,000 to security researchers who discover vulnerabilities and report them, but the bugs are often more valuable to sell elsewhere than to report.The Verge that it is compensating the family of the 14-year-old child for discovering the vulnerability, as well as providing an additional gift to fund Grant’s tuition. Apple hasn’t revealed exactly how much it’s paying the Thompson family. The news comes three days after an Apple executive flew in to Tucson to meet with the Grant and take his feedback. The executive reportedly thanked the child and his mother.
Apple is making an exception by rewarding Grant because its “bug bounty” programme reportedly works on an invite-only basis and is limited to specific categories of security flaws. Apple launched the bug bounty programme in 2016 to rope-in outside security researchers to help the company find and fix flaws. It offers up to $200,000 to bug reporters but, The Verge says that the researchers “have been reluctant to help Apple with its security because the bugs are often more valuable to sell elsewhere than to report.”