Apple reportedly left huge FaceTime privacy bug unaddressed for 6 days

Despite marketing itself as obsessed with user privacy, Apple reportedly waited six days to do anything about a disturbingly huge privacy issue in its FaceTime service — a problem that was only addressed after news of the issue spread across social media last night. The issue enabled FaceTime callers to listen in on remote devices’ microphone audio until recipients answered the calls, effectively letting users spy on conversations or other sounds for as long as the remote devices continued ringing.

According to a new report from 9to5Mac, a mother and her teenage son reported the bug to Apple on January 22, emailing Apple’s customer support and Product Security departments that they had “discovered a major privacy and security flaw in your newest update, that allows users to listen in on other individuals without their permission.” They later shared a private YouTube video with Apple documenting the issue, apparently on January 23.

In a series of tweets, tech entrepreneur John H. Meyer says that the unnamed mother, an attorney from Arizona, provided evidence that she informed Apple about the flaw via email on the 22nd, and sent a formal legal notice to the company on the 25th. In response, Apple apparently told her to sign up for an Apple developer account and file an online bug report to get onto their radar.

Though the bug reporting procedure may sound familiar to longtime Apple followers, the company’s apparently nonchalant attitude about rapidly responding to a serious privacy bug — one that took only a minute to reproduce — is all but shocking. Numerous recent reports have suggested that Apple took weeks if not months to address comparatively smaller security breaches flagged by researchers, hiding its fixes in sneaky advisories.

But a bug allowing FaceTime users to surreptitiously overhear audio from friends, family, or strangers is dangerous on a completely different scale. Worse yet, if the FaceTime call recipient dismissed the request by clicking the power or lock button, the buggy device would impermissibly share video, as well. It’s bad enough that Apple requires customers to use a formal bug reporting system for obvious technical issues — and sometimes never addresses them — but it’s terrible for such a huge company to lack a shortcut for rapidly addressing large-scale privacy or security violations.

Once reports of the privacy issue circulated on social media and were confirmed by journalists, Apple initially said that it would release a fix for the issue later this week, then shut down the Group FaceTime feature altogether on its servers. The company’s belated response ironically came on Data Privacy Day, shortly after Apple CEO Tim Cook encouraged his Twitter followers to “insist on action and reform for vital privacy protections,” saying that the “dangers are real and the consequences are too important.”