New York Governor Andrew Cuomo and freshly minted state Attorney General Letitia James Apple was being scrutinized for potentially mishandling notification of a FaceTime bug that allows callers to eavesdropon the audio of a call recipient before they answer the phone.
Cuomo and James are probing whether Apple was too slow to warn consumers of the bug.
“New Yorkers shouldn’t have to choose between their private communications and their privacy rights,” James said in a statement. “This FaceTime breach is a serious threat to the security and privacy of the millions of New Yorkers who have put their trust in Apple and its products over the years.”
Calling the vulnerability an “egregious bug that put the privacy of New Yorkers at risk,” Cuomo called for “a full accounting of the facts to confirm businesses are abiding by New York consumer protection laws and to help make sure this type of privacy breach does not happen again.”
“While this isn’t the first time officials have investigated a company due to lack of response – the FTC did something similar with the Fandango case stating that “failing to maintain an adequate process for receiving and addressing security vulnerability reports from third parties,” said Bugcrowd CTO and Founder Casey Ellis.
The action by New York authorities is “a stark reminder that vulnerability disclosure is hard – especially for large companies like Apple that are flooded with reports,” said Ellis. “Inviting a conversation with the entire Internet is noisy. Combing through submissions is a time consuming and often fruitless task. Having a clear communication channel, a policy which provides safe harbor for ethical hackers…and a process and supporting systems to manage internal dissemination of vulnerabilities is paramount – and having a team to triage these submissions is key to being able to respond quickly.”
Maintaining that fixing software also is difficult, even for a feature like FaceTime Groups that may seem simple to the user but is complex “behind the curtain,” Ellis said, “the deliberate obfuscation of this truth makes it easy for anyone on the outside to underestimate the complexity and difficulty of a fix – which I believe is contributing to the backlash in this case.”
The bug has prompted at least one lawsuit, by Houston attorney Larry Williams, who claimed it allowed the recording of a private deposition.