Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Incident Response

Apple Patches FaceTime Spying Vulnerability

Apple has finally released an iOS update that should fully patch the Group FaceTime vulnerability that could have been exploited to spy on users through their device’s microphone and camera.

Apple has finally released an iOS update that should fully patch the Group FaceTime vulnerability that could have been exploited to spy on users through their device’s microphone and camera.

Apple described the flaw, tracked as CVE-2019-6223, as a logic issue in the handling of Group FaceTime calls. The company says the problem has been addressed with “improved state management.”

The bug allowed an attacker to spy on FaceTime users by calling the targeted user and adding the attacker’s own number to a group chat. While the hacker could hear and possibly even see the victim, on the victim’s side it appeared as if the call still hadn’t been answered.

Interestingly, Apple has credited both Grant Thompson, a 14-year-old from Arizona, and Daven Morris, or Arlington, Texas, for reporting the vulnerability.

Apple patches FaceTime vulnerabilityThompson and his mother attempted to report the findings to Apple more than 10 days before details of the bug became public, but their attempts were ignored by the tech giant. Apple admitted that it dropped the ball in this case and promised to improve its vulnerability reporting process. It has also promised to pay Thompson a bug bounty, but it’s unclear if Morris will receive a bounty as well.

Apple disabled the Group FaceTime feature after learning of the flaw’s existence. It then implemented a server-side fix and now it has released updates for both iOS and macOS Mojave to fully address the issue. The Group FaceTime service has now been restored.

The iOS update (version 12.1.4) also patches two privilege escalation and code execution vulnerabilities that Google says have been exploited in the wild. One of these flaws has also been resolved in macOS Mojave.

While investigating the FaceTime bug, Apple also discovered an issue related to the Live Photos feature in FaceTime. The flaw, tracked as CVE-2019-7288, has been patched through “improved validation on the FaceTime server.”

Advertisement. Scroll to continue reading.

The FaceTime bug has caused a lot of problems for Apple. A lawyer from Texas has filed a lawsuit against the company, claiming that the vulnerability was exploited to record a client’s private deposition.

Authorities in New York have launched an investigation into Apple’s slow response, and two lawmakers demand that the company be more transparent about how it handled this incident.

Related: Apple Patches Dozens of Vulnerabilities in iOS, macOS

Related: Apple Patches Passcode Bypass, FaceTime Flaws in iOS

Related: iOS Lockscreen Bypass Abuses New Group FaceTime Feature

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.