Apple has finally released an iOS update that should fully patch the Group FaceTime vulnerability that could have been exploited to spy on users through their device’s microphone and camera.
Apple described the flaw, tracked as CVE-2019-6223, as a logic issue in the handling of Group FaceTime calls. The company says the problem has been addressed with “improved state management.”
The bug allowed an attacker to spy on FaceTime users by calling the targeted user and adding the attacker’s own number to a group chat. While the hacker could hear and possibly even see the victim, on the victim’s side it appeared as if the call still hadn’t been answered.
Interestingly, Apple has credited both Grant Thompson, a 14-year-old from Arizona, and Daven Morris, or Arlington, Texas, for reporting the vulnerability.
Thompson and his mother attempted to report the findings to Apple more than 10 days before details of the bug became public, but their attempts were ignored by the tech giant. Apple admitted that it dropped the ball in this case and promised to improve its vulnerability reporting process. It has also promised to pay Thompson a bug bounty, but it’s unclear if Morris will receive a bounty as well.
Apple disabled the Group FaceTime feature after learning of the flaw’s existence. It then implemented a server-side fix and now it has released updates for both iOS and macOS Mojave to fully address the issue. The Group FaceTime service has now been restored.
The iOS update (version 12.1.4) also patches two privilege escalation and code execution vulnerabilities that Google says have been exploited in the wild. One of these flaws has also been resolved in macOS Mojave.
While investigating the FaceTime bug, Apple also discovered an issue related to the Live Photos feature in FaceTime. The flaw, tracked as CVE-2019-7288, has been patched through “improved validation on the FaceTime server.”
The FaceTime bug has caused a lot of problems for Apple. A lawyer from Texas has filed a lawsuit against the company, claiming that the vulnerability was exploited to record a client’s private deposition.
Authorities in New York have launched an investigation into Apple’s slow response, and two lawmakers demand that the company be more transparent about how it handled this incident.
Related: Apple Patches Dozens of Vulnerabilities in iOS, macOS
Related: Apple Patches Passcode Bypass, FaceTime Flaws in iOS
Related: iOS Lockscreen Bypass Abuses New Group FaceTime Feature
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
Tags: 
