Group FaceTime exploit lets callers listen in on recipient's audio before accepting call [...

Posted:
in iPhone edited January 28
Until a bug in iOS 12.1 or later is fixed, an exploit allows a FaceTime Video caller to hear the audio, and potentially see video, from the recipient's iPhone without the call even being picked up.




First spotted on social media, the procedure to induce the bug is fairly simple. The caller starts a FaceTime video call with a contact, then while the call is "ringing," they add themselves to the call as a third party by tapping Add Person and entering their own phone number.

If properly executed, a Group FaceTime call is started and the original recipient's audio begins to stream before the call is accepted.

While AppleInsider has duplicated the bug on an iPhone X, iPhone XR, iPhone XS Max, it does not seem to cross over to a Mac accepting a call from an iPhone with Handoff. That said, the recipient iPhone's audio is still sent to the caller. The audio is not bi-directional, and streams from the recipient to the caller only.

Obviously, this does not allow anybody to listen in on any other iPhone surreptitiously, as the call still has to be made in the first place. The recipient's phone will indicate that there is an incoming FaceTime call. Some users, like The Verge's Dieter Bohn, have seen camera access enabled when interacting with an iPhone's power button to dismiss a call, though AppleInsider was unable to confirm.

Until Apple specifically addresses the issue, the safest course is to assume that any incoming FaceTime call is being listened in on by the caller.

Those concerned can disable FaceTime by navigating to Settings > FaceTime and toggling the FaceTime button to the off position.

AppleInsider has reached out to Apple about the issue.

Now you can answer for yourself on FaceTime even if they don't answer#Apple explain this.. pic.twitter.com/gr8llRKZxJ

-- Benji Mobb (@BmManski)


Update: Apple in a statement to BuzzFeed confirmed it is aware of the issue and has "identified a fix that will be released in a software update later this week."

Comments

  • Reply 1 of 11
    focherfocher Posts: 637member
    That's a pretty bad bug. Not empty-root-password level, but pretty bad.
    mike54
  • Reply 2 of 11
    mazda 3smazda 3s Posts: 1,560member
    Well, that's... disconcerting. How do you even let a bug like this slip through the QA process? 
  • Reply 3 of 11
    Haven’t had a chance to try this yet, but I know if I initiate a regular FaceTime call that after several “rings” and no response the call ends with the message “unavailable”. Meaning you would only get audio for a few seconds before the call fails.

    When doing a Group FaceTime using this method, does the call still time out and end? Or can you theoretically listen for as long as you want?


    Edited: Just read The Verge article and they said the problem is more serious on a Mac because “it rings for much longer”. This implies that you can only “listen in” while it’s ringing and not indefinitely.
    edited January 28
  • Reply 4 of 11
    mazda 3s said:
    Well, that's... disconcerting. How do you even let a bug like this slip through the QA process? 
    Because no one thought to create a test script that involved adding a second person to a call before the first person answers?  Seems like a reasonable QA oversight to me.  Now whether it's an "excusable" design/coding error on the other hand...
  • Reply 5 of 11
    So is this a major bug or just techie Twitter freaking out like normal?
  • Reply 6 of 11
    mazda 3s said:
    Well, that's... disconcerting. How do you even let a bug like this slip through the QA process? 
    Because no one thought to create a test script that involved adding a second person to a call before the first person answers?  Seems like a reasonable QA oversight to me.  Now whether it's an "excusable" design/coding error on the other hand...

    It’s worse than that. Not just adding another person, but adding yourself to create a group chat. So it appears you have a group chat with three people, but two of them are the same person. At least that’s how I understand it.
  • Reply 7 of 11
    eightzeroeightzero Posts: 2,226member
    oops.
  • Reply 8 of 11
    mazda 3s said:
    Well, that's... disconcerting. How do you even let a bug like this slip through the QA process? 
    Because no one thought to create a test script that involved adding a second person to a call before the first person answers?  Seems like a reasonable QA oversight to me.  Now whether it's an "excusable" design/coding error on the other hand...

    It’s worse than that. Not just adding another person, but adding yourself to create a group chat. So it appears you have a group chat with three people, but two of them are the same person. At least that’s how I understand it.
    Does it then show as a group facetime call not just a facetime call?
  • Reply 9 of 11
    Just as an aside... Why is Apple giving any information to discredited BuzzFeed? They’re the grease trap of the news media.
  • Reply 10 of 11
    mazda 3s said:
    Well, that's... disconcerting. How do you even let a bug like this slip through the QA process? 
    Because no one thought to create a test script that involved adding a second person to a call before the first person answers?  Seems like a reasonable QA oversight to me.  Now whether it's an "excusable" design/coding error on the other hand...

    It’s worse than that. Not just adding another person, but adding yourself to create a group chat. So it appears you have a group chat with three people, but two of them are the same person. At least that’s how I understand it.
    Yeah that is pretty much it.  I actually did this by mistake when calling family members (first time using Group FaceTime).  It was a bit confusing.
    Glad to see Apple will fix it soon.
  • Reply 11 of 11
    I guess I'll have to switch to Android and its equivalent video calling software. Oh wait, Android doesn't have any equivalent: https://www.forbes.com/sites/ryanwhitwam/2017/12/29/the-top-3-facetime-alternatives-for-android/#7633a03e10ac
Sign In or Register to comment.