A major flaw in Apple's FaceTime feature that allows callers to eavesdrop on the recipient was publicly disclosed yesterday, just three months after the defect was introduced. Apple claims itself as an adult focused on protecting privacy among technology giants and generally adopts a rigorous security measure and a careful approach to bug hunting. So why would Apple not find such a flaw before it was released?
Part of the problem is the rough history of the function itself. Defects are related to FaceTime's new group chat feature. Apple took this feature later in the beta version of iOS 12 and delayed it until October. Three months means it takes a long time for this bug to become active, but it means that the user does not have much time to discover this kind of strange behavior. (Apple has brought in the Group FaceTime feature waiting for the patch and has contacted Apple about when and how they first heard about the bug, or when the team found it on their own.)
Another problem is the nature of bugs that are beyond the scope of a typical bug test. Jake Williams, founder of Rendition Infosec, says that the most basic form of bug testing is" fuzzing " (For example, up to 15 characters) by sending an improperly formatted input, saying that the process is not a process, but the FaceTime bug would have passed the fuzzy test without knowing it, because it covered general UI operations rather than specific input.
Bugs in QA testing that include real-world examples with real users It's more likely, but it's relatively infrequent to call his phone number after starting a conversation with someone else, so it's easy to break through. "Williams is not surprised that he randomly discovered it before Apple's actual security team."  "I think about how the bug came out." "We've seen you step back a couple of years and you thought," Wow, how did you pass the test? "
Luta Security's chief executive officer and chief executive officer of Luta Security, said, "When you think about it, you are a fringe scenario and why did someone test it? Founder Katie Moussouris says Apple's security team is not responsible. Instead, it's related to Apple's response to public bug reports. The. Apple belongs to 6% of the Forbes 2000 companies, today announced a way to actually report a bug.
"What we missed here was the opportunity for Security Assistance and social media staff to raise security bugs on the security team or on the appropriate team."
There was a bug. Curious puberty reported 8 days before release. The teen mom (19459018) reported a bug with Apple's support, and if she did not receive an answer, she sent an email and faxed the official notice to the company. Moussouris may have seen this report, but I suspect he might have focused on investigating and reproducing bugs without opening a line of communication with reporters.
"This is a member of the general public who is trying to report what happened. It was a very serious security and privacy violation, and I tried to find the right contact from the beginning." "So it looks like a black box with no response, because I've already tried all of these channels that seem logical to them. I think Apple is likely to go through the investigation, but it did not really help at first because there was a significant delay "
It is unclear whether Apple sent the message. It received the report at first. Moussouris believes that the ISO standard for disclosing vulnerabilities is only a matter of acknowledging that the company has received the report, and it can take a long time to resolve the bug. Google's Project Zero, which looks for a zero-day bug, can respond to reports for 30 to 60 days. This reporter may not have known what action Apple is taking.
Some of these mysteries can be resolved by telling Apple and other companies to set clear expectations about the report, investigate the bug, and keep the disclosure private.
"Ideally, organizations have many bugs from their code before shipping as much as possible." "But once you know that, there will be bugs, very creative hackers, I can talk to outstanding teenagers. "