Security Experts:

Connect with us

Hi, what are you looking for?



Lawmakers Concerned About Apple’s Handling of FaceTime Spying Bug

Two members of the U.S. House of Representatives want to know more about how Apple has handled the recently disclosed bug that made it easy to spy on FaceTime users.

Two members of the U.S. House of Representatives want to know more about how Apple has handled the recently disclosed bug that made it easy to spy on FaceTime users.

In a letter sent to Apple CEO Tim Cook, Democrats Frank Pallone and Jan Schakowsky, both members of the House’s Committee on Energy and Commerce, have asked the tech giant for more transparency on its investigation into the FaceTime bug.

Apple has been given until February 19 to answer several questions, including when it first learned about the FaceTime vulnerability, the steps taken to address the issue, what procedures are in place to identify such flaws prior to release of a product and why did those procedures fail in this case, and why it has taken so long to release a patch.

Lawmakers ask Apple about FaceTime bugLawmakers also want to know if steps are being taken to identify users whose “privacy interests were violated as a result of this vulnerability,” and if Apple plans on notifying and compensating them.

Finally, Pallone and Schakowsky want to know if Apple is aware of other vulnerabilities that could give someone access to a device’s microphone and/or camera.

The FaceTime bug, discovered by a 14-year-old from Arizona, allows an attacker to spy on FaceTime users through their microphone and camera simply by calling the targeted user and adding the attacker’s own number to a group chat. While the hacker can hear and possibly even see the victim, on the victim’s side it appears as if the call still hasn’t been answered.

Apple suspended the Group FaceTime feature after the bug was disclosed, but a lawyer from Texas has filed a lawsuit against the company, claiming that the vulnerability was exploited to record a client’s private deposition.

Grant Thompson, the teen who discovered the vulnerability, and his mother attempted to report the findings to Apple for more than ten days before the flaw’s existence became public, but they said their attempts were ignored.

A few days after public disclosure, Apple implemented a server-side fix and promised to roll out a software update sometime this week.

While Thompson would normally not qualify for a bug bounty, CNBC reported that a high-level Apple executive met with the Thompsons and suggested that the company could make an exception in this case.

Authorities in New York have launched their own investigation into this incident. The probe, announced last week by New York’s governor and attorney general, focuses on Apple’s failure to warn customers and the company’s slow response.

It’s clear that Apple needs to make improvements to its vulnerability reporting process and its bug bounty program. Another example involves Germany-based Linus Henze, who earlier this week published a video demonstrating a macOS vulnerability that can be exploited to steal passwords from the Keychain. The researcher has refused to provide Apple full details of the security hole due to the fact that his findings are not covered by the company’s bug bounty program.

Related: Apple Patches Dozens of Vulnerabilities in iOS, macOS

Related: Apple Patches Passcode Bypass, FaceTime Flaws in iOS

Related: iOS Lockscreen Bypass Abuses New Group FaceTime Feature

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.