Following the news that Apple has temporarily disabled the group FaceTime functionality while it fixes a bug which let users eavesdrop on those they were calling, security experts commented below.
How a high school student ‘stumbled upon’ Apple’s FaceTime bug and tried to report it https://t.co/IFG4rczbAZ
— Trade For Profit 📈 (@TFPdaily) January 30, 2019
Jake Moore, Cyber Security Expert at ESET UK:
“Technology bugs occur far more often than the average user may think. Luckily Apple is usually quick to adapt and patch up the flaws. However, we do not know how long this bug has been around for and if it has been taken advantage of by cybercriminals who exploit these vulnerabilities.
Apple is currently fixing the issue, and like any precaution technique it’s always good to be on the safe side, so it is worth disabling FaceTime on your devices until Apple has officially issued the specific software update.”
Marten Mickos, CEO at HackerOne:
Why is it hard for regular people to report bugs?
“It should not be hard for anyone to report a bug to a company or government agency, but unfortunately it still often is. The US Deputy Attorney General has said that every organisation should have a vulnerability disclosure program, which is exactly a way for people who see something to say something. DOJ, FTC, NIST and other federal agencies have published their recommendations and frameworks on this topic, but they have not yet been universally adopted. The good news is that all of this is changing. Leaders in business and politics agree that the only way to make the internet more secure is to invite the broad public (which includes some very smart whitehat hackers) to report the bugs they find.”
Do they even find many major bugs in your experience?
“Yes, they do. We all instinctively know that the general public are not security experts and will not be able to find and report a bug. But when you invite anyone to report a bug, you are sure to find among them the few absolutely brilliant and passionate security experts who will painstakingly test out a product and figure out even its smallest deficiency. Even if millions of people find nothing to report, and thousands may report something that isn’t really a bug, it still is worth it when just one person finds and can describe the bug. The noise of the crowd is absolutely worth it when you actually WILL find the needle in the haystack. And, interestingly, often the engineers working for the company in question are unable to detect those bugs, just like it is difficult for people to see typos in their own text although they see them in other people’s text. We need the scrutiny of the unbiased people on the outside.”
Q: What are the recommendations for companies like Apple? Should they have a easy form anyone can fill out, a phone number?
“Apple represents a very high level of cybersecurity awareness and discipline. They do have a way to receive bug reports. Take a look at this web page: https://support.apple.com/en-us/HT201220. On that page, it says “To report security or privacy issues that affect Apple products or web servers, please contact product-security@apple.com.” What a company ofApple’s size and presence must be ready for (and they are) is the large volume of incoming bug reports that may actually not be that relevant. With the help of software automation and human beings you can sift through those incoming reports and find the truly valuable ones, or you can turn to a provider like HackerOne to get that work done for your company. Any company receiving bug reports (in practice, any company with digital assets) also needs to have an ability and readiness to fix the most severe bugs. Often, software development teams are asked to produce a lot of new features that customers are waiting for. They also need to carve out dedicated time for fixing the security issues that are reported to them. The average time from when a bug was reported to when it gets fixed is an important metric when assessing cybersecurity posture of an organisation.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.