You are here

FaceTime FauxPas: Sorry-not-sorry about the bug bounty boo-boo

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

Apple says sorry for the privacy-busting FaceTime bug we talked about last week.

But there’s no apology yet to the kid and his mother who tried their best to report the “FacePalm” bug to Apple, yet kept facing brick wall after brick wall. Although there is the vague suggestion the trillion-dollar company might pay him some money.

In trying to fix its PR fail, has Apple made things worse? In this week’s Security Blogwatch, we’re sorry.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: NFL—Not For Lipreading.

The State of Application Security in the Enterprise

FacePalm PR shambles

What’s the craic? Matthew J. Belvedere reports Apple could pay a reward to the 14-year-old boy:

Grant Thompson, the 14-year-old who found Apple's FaceTime flaw, may get a bounty. … Grant's mother, Michele Thompson, said she repeatedly and unsuccessfully tried to contact Apple to report what her son found. … "I didn't hear from [Apple] until after the media broke the story one week ago."

A high-level Apple executive flew to Tucson, Arizona, on Friday afternoon to meet with Grant. The executive, whom she declined to name, "thanked us in person and also asked for our feedback, asked us how they could improve their reporting process. … They also indicated that Grant would be eligible for the bug bounty program."

The FaceTime bug comes at a time when more and more questions are being asked about online privacy and Apple CEO Tim Cook has positioned the company as a champion of data protection. … On Friday, Apple apologized for the group FaceTime flaw that lets users hear through someone else's iPhone, even if they have not actually answered the phone call.

“Could”? “May”? “Indicated”? Benjamin Mayo is more forthright, saying Master Thompson will be eligible for bug bounty:

Apple’s bug bounty system is typically invite-only and limited to specific categories of security flaws, like accessing iCloud account data or demonstrating ways … to escape the security sandbox. … Thompson’s finding … would not qualify according to those rules.

It appears the company is making an exception here given the embarrassingly public nature of the case.

So Xeni Jardin summarizes thuswise—Apple apologizes:

Apple's sorry about that, and says they've figured out a fix that all iOS users can load next week. They also thanked the mom and 14 year old kid who struggled to alert Apple.

And they promise better bug reporting practices.

The vulnerability was discovered by a 14 year old in Arizona whose mom had a heck of a time trying to report it. Apple told them to go get a developer account [to] submit a formal bug report. That was the extremely wrong answer.

Here’s Apple's full apology: … “We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue.”

Oh, right, I see: So sorry about the bug, but not so sorry for the infernal runaround they put the Thompsons through? Martin “drinkpoo” Espinoza likens it to an abusive relationship:

This is how abusers string along their victims – random occurrences of being "nice", by doing precisely what they SHOULD be doing. But it doesn't excuse their behavior the rest of the time.

Apple has been generally unresponsive to bug reports since their first days. They ****ed on their user base with this garbage bug, and now all they have to do to distract their Stockholm-syndrome audience is grant a bug bounty to someone who clearly deserves it.

"Look", they'll say, "Apple can do the right thing!" Yes, but only when it would otherwise make it obvious what they really are: abusive.

And this Anonymous Coward cuts to the chase:

A rotten culture to the core. The person logging the call should have escalated immediately bypassing whatever.

Bad culture is a management issue. Can't take the initiative? Not empowered?

But Todd Fraser argues for the most part they handled it professionally:

Actually this makes an interesting case study in crisis management. … There were many chances for Apple to flub the response and make it worse.

Having this exposed is painful. [It] creates a lot of emotion within the company, emotion often will lead to rash decisions that will just make things worse (think … "You're Holding it Wrong.")

However once Apple spotted the reported flaw, and scoped out how bad it was (this seemed to take too long), … they took the embarrassment of a flaw, to make sure their customer base would be safe. … Also it appears they are trying to make bug reporting more streamlined.

I have seen other times when a security flaw is discovered a company would go into panic protected mode. Try to ignore the problem as long as it could, Actively hide or remove any communication about the problem to the public. Find legal action on the more vocal people pointing out the problem. And using PR and Marketing to try to whitewash the problem, while real people are getting hurt.

I am actually surprised on how well Apple is handling this problem.

Apple is indeed a special case, right? Jonathan Medina is suitably scathing:

Yeah but we knew from the get go … that major security bugs fall into the needle-in-a-haystack of other bugs. And people have complained before there’s no super way to escalate true importance.

Typical corporate incompetence.

Oh. Do we at least care about the apology? Zac Hall says he doesn’t care, but at least:

An apology after a few days of people pointing out there’s been no apology is better than no apology at all.

Meanwhile, the @JonyIveParody parody account parodies Sir Jony Ive’s reaction:

Steve Jobs would never have apologised.

The moral of the story?

When you make a mistake, either apologize or not. Don’t sit on the fence. And don’t be so selective with your bug bounties.

[ Free Report: How to Get the Most From Your Application Security Testing Budget ]

And finally …

Lipreading sportsball (badly)


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Marco Verch (cc:by)

[ Partner resource: Take Security Journey's first two white belt modules for free. ]