Apple has finally released an iOS update that should fully patch the Group FaceTime vulnerability that could have been exploited to spy on users through their device’s microphone and camera.
Apple described the flaw, tracked as CVE-2019-6223, as a logic issue in the handling of Group FaceTime calls. The company says the problem has been addressed with “improved state management.”
The bug allowed an attacker to spy on FaceTime users by calling the targeted user and adding the attacker’s own number to a group chat. While the hacker could hear and possibly even see the victim, on the victim’s side it appeared as if the call still hadn’t been answered.
Interestingly, Apple has credited both Grant Thompson, a 14-year-old from Arizona, and Daven Morris, or Arlington, Texas, for reporting the vulnerability.
Thompson and his mother attempted to report the findings to Apple more than 10 days before details of the bug became public, but their attempts were ignored by the tech giant. Apple admitted that it dropped the ball in this case and promised to improve its vulnerability reporting process. It has also promised to pay Thompson a bug bounty, but it’s unclear if Morris will receive a bounty as well.
Apple disabled the Group FaceTime feature after learning of the flaw’s existence. It then implemented a server-side fix and now it has released updates for both iOS and macOS Mojave to fully address the issue. The Group FaceTime service has now been restored.
The iOS update (version 12.1.4) also patches two privilege escalation and code execution vulnerabilities that Google says have been exploited in the wild. One of these flaws has also been resolved in macOS Mojave.
While investigating the FaceTime bug, Apple also discovered an issue related to the Live Photos feature in FaceTime. The flaw, tracked as CVE-2019-7288, has been patched through “improved validation on the FaceTime server.”
The FaceTime bug has caused a lot of problems for Apple. A lawyer from Texas has filed a lawsuit against the company, claiming that the vulnerability was exploited to record a client’s private deposition.
Authorities in New York have launched an investigation into Apple’s slow response, and two lawmakers demand that the company be more transparent about how it handled this incident.
Related: Apple Patches Dozens of Vulnerabilities in iOS, macOS
Related: Apple Patches Passcode Bypass, FaceTime Flaws in iOS
Related: iOS Lockscreen Bypass Abuses New Group FaceTime Feature

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
Latest News
- Sentra Raises $30 Million for DSPM Technology
- Cyber Insights 2023: Cyberinsurance
- Cyber Insights 2023: Attack Surface Management
- Cyber Insights 2023: Artificial Intelligence
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- Guardz Emerges From Stealth Mode With $10 Million in Funding
- How the Atomized Network Changed Enterprise Protection
- Critical QNAP Vulnerability Leads to Code Injection
