A recently reported bug in Facetime, caused privacy concerns last month as individuals were able to eavesdrop on users. The bug allowed anyone on Group Facetime to hear audio from the user whilst calling them. The glitch permitted this to happen before the user was able to answer or reject the call. Apple temporarily disabled the feature upon discovery. Users were further advised to disable Facetime as an extra measure until Apple fixed the bugs.
Apple has now released the following patches to remediate the bugs found:
- Shortcuts 2.1.3 for iOS
- MacOS Mojave 10.14.3 Supplemental Update
- iOS 12.1.4
Apple released security content for shortcuts 2.1.2 for iOS to patch vulnerability CVE-2019-7289 and CVE-2019-7290. It improved path validation to stop local users viewing sensitive user information. The second shortcut dealt with the sandboxing issue by adding more sandbox restrictions.
MacOS Mojave 10.14.3 Supplemental Update
Available for macOS Mojave 10.14.3 deals with the Facetime vulnerabilities which resulted in users phones automatically answering a call from the admin of a group Face time. Improving state management patched CVE-2019-6223 vulnerability. Live photos in Facetime received patching following a security audit carried out by Apple. Vulnerability CVE-2019-7286 is also patched with improved input validation, mitigating abuse in elevated privilege access.
This security content is also for Facetime vulnerability CVE-2019-7286 on the following devices:
- iPhone 5 and above
- iPad Air and above
- iPod Touch 6th generation
IOKit, Facetime and Live Photos in Facetime additionally received patches under iOS 12.1.4. These dealt with kernel privilege issues whilst also improving Facetime servers and state management.
Bug Bounty Reward
In the meantime, the teenager who discovered the Facetime bug, 14year old Grant Thompson, will be compensated. Apple intends to reward Thompson with a gift towards his education as well as a payout under its Bug Bounty.
Apple apologised to users for the bugs found.