Content

New York probing Apple response to FaceTime bug

New York Governor Andrew Cuomo and freshly minted state Attorney General Letitia James Apple was being scrutinized for potentially mishandling notification of a FaceTime bug that allows callers to eavesdropon the audio of a call recipient before they answer the phone.

Cuomo and James are probing whether Apple was too slow to warn consumers of the bug.

"New Yorkers shouldn't have to choose between their private communications and their privacy rights," James said in a statement. "This FaceTime breach is a serious threat to the security and privacy of the millions of New Yorkers who have put their trust in Apple and its products over the years.”

Calling the vulnerability an “egregious bug that put the privacy of New Yorkers at risk,” Cuomo called for “a full accounting of the facts to confirm businesses are abiding by New York consumer protection laws and to help make sure this type of privacy breach does not happen again.”

“While this isn’t the first time officials have investigated a company due to lack of response – the FTC did something similar with the Fandango case stating that “failing to maintain an adequate process for receiving and addressing security vulnerability reports from third parties,” said Bugcrowd CTO and Founder Casey Ellis.

The action by New York authorities is “a stark reminder that vulnerability disclosure is hard – especially for large companies like Apple that are flooded with reports,” said Ellis. “Inviting a conversation with the entire Internet is noisy. Combing through submissions is a time consuming and often fruitless task. Having a clear communication channel, a policy which provides safe harbor for ethical hackers…and a process and supporting systems to manage internal dissemination of vulnerabilities is paramount – and having a team to triage these submissions is key to being able to respond quickly.”

Maintaining that fixing software also is difficult, even for a feature like FaceTime Groups that may seem simple to the user but is complex “behind the curtain,” Ellis said, “the deliberate obfuscation of this truth makes it easy for anyone on the outside to underestimate the complexity and difficulty of a fix  – which I believe is contributing to the backlash in this case.”

The bug has prompted at least one lawsuit, by Houston attorney Larry Williams, who claimed it allowed the recording of a private deposition.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.