Apple FaceTime Spying Bug: What You Need to Know
Apple moved quickly last night to disable an embarrassing privacy flaw that let iPhone users spy on other iPhone and Mac users via Group FaceTime. The company promised a permanent fix later this week.
Until then, you may want to disable FaceTime just as a precaution. In iOS, the off switch is in Settings > FaceTime. In macOS, you have to open FaceTime, then select "Turn FaceTime Off" from the menu bar.
Somebody -- a teenager, according to one report -- discovered that if you made a FaceTime call from an iPhone running iOS 12.1 or later, then swiped up on the screen to add your own number to the call before the other party picked up, you could hear all the audio from the other phone's microphone even if the other person never answered.
The trick spread across social media Monday (Jan. 28), according to 9to5Mac, which first reported on the bug. The Verge was able to replicate the bug, and discovered that it transmitted video too if the recipient of the call pressed the power or the volume-down button -- as one might do to dismiss the call or, um, turn on the camera.
"We have identified a fix that will be released in a software update later this week," Apple told the Verge and Buzzfeed News in virtually identical statements.
We were able to confirm that the trick worked Monday evening by placing a FaceTime call from an iPhone SE to an iPhone 7. The audio came through from the 7 without it answering the call. When the power button was pressed, the video came through as well.
But about an hour later, Apple switched off the servers that make Group FaceTime possible. Apple's System Status page noted that as of 10:16 p.m. EST Monday, Group FaceTime was "temporarily unavailable."
We confirmed Tuesday morning that the trick no longer worked. Attempting to add yourself to a FaceTime call while the other party's phone rang resulted in an error message stating that the call had "failed."
On Monday, Twitter user Benji Mobb posted video of the trick in action. Both iPhones needed to be running iOS 12.1 or later, or macOS 10.14 Mojave. (Group FaceTime was added in iOS 12.1 and apparently is where the problem lies.)
Twitter user @tythegoddess tweeted about the bug at around noon Monday Eastern time.
"There's apparently a bug that allows people to still be able to talk to you even if you don't answer the call," she wrote. "Don't believe me? FaceTime someone and then add yourself to the call."
That may have been what got the ball rolling on social media, but a little-noticed tweet from more than a week earlier indicated that someone had already tried to notify Apple.
"My teen found a major security flaw in Apple's new iOS," wrote user @MGT7500 on Jan. 20. "He can listen in to your iPhone/iPad without your approval. I have video. Submitted bug report to @AppleSupport ... waiting to hear back to provide details. Scary stuff!"

​

A bug in Apple devices that let callers listen in on  others' microphones without their knowledge has been disabled after political leaders, business leaders and a number of media reports put pressure on the tech giant as it works to permanently solve the issue.
The software problem, which lets users use the group chat function in FaceTime, call someone and then listen in on their conversations even if the other person did not pick up, was demonstrated through videos online and reported on this week by tech blogs. The bug was first confirmed by Bloomberg News and subsequently reported elsewhere, including Fox News.
"We're aware of this issue and we have identified a fix that will be released in a software update later this week," Apple said in a statement Tuesday.

Perhaps serendipitously, the issue occurred on Data Privacy Day, a cornerstone for Apple and a day when CEO Tim Cook tweeted about privacy, writing "the dangers are real and the consequences are too important."
Tim Cook✔@tim_cookWe must keep fighting for the kind of world we want to live in. On this #DataPrivacyDay let us all insist on action and reform for vital privacy protections. The dangers are real and the consequences are too important.
Apple's online support page noted there was a technical issue with the application and that Group Facetime "is temporarily unavailable."
New York governor Andrew Cuomo issued a statement warning people about the bug and urging people to disable the app until Apple fixes the issue.
"The FaceTime bug is an egregious breach of privacy that puts New Yorkers at risk," Governor Cuomo said in the statement. "In New York, we take consumer rights very seriously and I am deeply concerned by this irresponsible bug that can be exploited for unscrupulous purposes. In light of this bug, I advise New Yorkers to disable their FaceTime app until a fix is made available, and I urge Apple to release the fix without delay."
Jack Dorsey, CEO of Twitter, a company that has also had its share of privacy issues in recent memory, called on users to disable FaceTime until Apple fixes the issue.

jack✔@jackDisable FaceTime for now until Apple fixes
Andy Baio✔@waxpancakeWant to see a really bad bug? You can FaceTime any iOS device running 12.1 and listen in remotely—WITHOUT THE OTHER PERSON ANSWERING THE CALL. (via @bzamayo) https://9to5mac.com/2019/01/28/facetime-bug-hear-audio/ …
The FaceTime bug exists on iOS devices that have iOS 12.1 or later. To disable the FaceTime app temporarily, users can go to Settings, select FaceTime and then toggle it to off until a patch has been issued.
The issue comes at a critical juncture for Apple, which has been beset by slowing iPhone sales. Earlier this month, the company issued a rare update to its quarterly revenue projections, saying it would miss fiscal first-quarter estimates by as much as $9 billion, due in part to the Trump administration's trade war with China.
Apple's market cap declined approximately $75 billion in value, though that has since been recovered on hopes that the worst may be over for the tech giant.
Cupertino, Calif.-based Apple is set to report fiscal first-quarter results after the close of trading on Tuesday. Analysts surveyed by FactSet expect Apple to report $4.17 a share in earnings and roughly $84 billion in revenue.

Facebook is planning to integrate its three instant messaging apps, WhatsApp, Facebook Messenger, and Instagram’s direct message function, it has been revealed. The plans come from Mark Zuckerberg, Facebook’s CEO, himself, The New York Times reports.
The three apps have, historically-speaking, targeted different audiences, had different uses, and different structures. Zuckerberg even insisted when Facebook first acquired them that Instagram and WhatsApp would have a certain amount of autonomy from their new owners. Lately, certain functions have begun to appear in all three of them – Instagram stories and Facebook stories for example, and the equivalent WhatsApp status – but the underlying structure of the apps has remained different and distinct. Not for long, apparently. The change is expected between the end of the year and the beginning of the next.
Zuckerberg has said that while the three apps will continue to be standalone and separate, their technical infrastructure will be the same. This change will also allow users to message each other from any of the three apps without having to switch platform.
This move requires that every communication will be end-to-end encrypted, visible only to the users and no-one else. Currently, only WhatsApp provides that as a default option. Facebook messenger allows encryption only in secret conversations, which can be accessed from the app, but it's not the default. Instagram doesn’t have anything like it. So, this is good news for privacy but only if it is done properly. And given Facebook's track record, people have every right to be skeptical.
“[T]his move could potentially be good or bad for security/privacy," Matthew Green, associate professor of Computer Science at the Johns Hopkins Information Security Institute said in a Twitter thread about the plans. "But given recent history and financial motivations of Facebook, I wouldn’t bet my lunch money on “good”. Now is a great time to start moving important conversations off those services.”
There is also the matter of different registration requirements when it comes to different apps. You need your Facebook identity for messenger, an email for Instagram, and your phone number for WhatsApp. There are clear concerns how the metadata from the future interactions between users across the platform will be used by Facebook. Some people might not want to have their identities across these platforms unified and would rather opt out. It is unclear at this time what guarantees will be put in place to address these concerns.
This close integration is a significant U-turn on the way the three platforms have been run until today and many speculate it is part of the reason why both Instagram and WhatsApp's founders stepped down from their board positions at Facebook last year.

Phishing attacks are now considered the main source of data breaches.
91% of cyber attacks start with a phishing email *
Ten years ago, if you asked someone what ‘phishing’ was, they probably would have no idea. Since then, times have changed considerably; phishing attacks are now responsible for a significant number of major data breaches.
Phishing may have made its way into the mainstream vernacular, but there is still confusion about the subject—and rightfully so. Phishing attacks are becoming more sophisticated and targeted, and even the most tech- or security-savvy people can find themselves a victim. So, how do you make sure you don’t fall victim as well? Use this five-point checklist to closely examine the validity of incoming email. When in doubt, don’t click!
The SenderThis is your first clue that an email may not be legitimate. Do you know the sender? If not, treat the mail with suspicion, and don’t open any attachments until you verify with the purported sender that they meant to send them. If you believe you do know the sender, double check the actual email address. Often, a phishing email will be designed to look like it comes from a person you know, but there will be a slight variation in the address or they will spoof the envelope to show you a name you recognize.
The SubjectPay attention to subject lines! While something like, ‘Claim your ultimate deal now!,’ can be an obvious sign of a phishing email, the far more successful subject lines are the ones that don’t raise that much suspicion. ‘Account action required’, ‘Delivery status update’, or ‘Billing statement confirmation’ can all be ploys to weaken the email recipient’s defenses through seemingly ordinary alerts.
Remember, if something legitimate is that important, your bank, employer, doctor’s office, retailer, or credit card company will find an alternate way to contact you when you’re not responding over email. When in doubt, call to ask if they’ve sent you an email, but do not make that call to a number that was in the email message you are calling about!
Most clicked email phishing subject lines.
A delivery attempt was made (18%)
A UPS label delivery  (16%)
Change of password required immediately (15%)
Unusual sign-in activity (9%)
The BodyThe body of the email can hold a whole new set of clues, including misspelled words and confusing context. For example, are you asked to verify a banking account or login to a financial institution that you don’t have an account with? Did you get an email from someone you may know that has nothing in it other than a short URL? Does the content apply to you or make sense based on recent conversations or events? Similarly, if it is a known contact, is there a reason they would be sending you this email?
Hackers can also use current or popular events to their advantage. For example, holiday shopping, tax season, and natural disaster or tragedy relief efforts are all used to sneak an unsuspecting phishing email into the inbox of thousands of targets. Did you know that the IRS reported a 400 percent increase in phishing scams for the 2016 tax season alone?
How will you know if an email is valid or not? This is where other email clues will come in handy!
The AttachmentsThe golden rule — do NOT open an attachment if any other aspect of the email seems suspicious. Attachments often carry malware and can infect your entire machine.
7.3% of successful phishing attacks used a link or an attachment**
The URLs Similar to attachments, do NOT click on a link if anything else about the email seems suspicious. This is usually the attacker’s ultimate goal in a phishing scam — lure users to a malicious site and trick them into entering login credentials or personal information, allowing the attacker full account access.
If you do click on a link, be sure to also verify the actual URL. Are you on Google.com or Go0gle.com? The variations can be slight, but they make all the difference! That said, be aware that a malicious site will not always be visibly reflected in the URL, and therefore you will not be able to tell the difference. If this is the case, most browsers have built-in phishing protection to alert you that something is wrong.  
15% of individuals who fall for an initial phishing attack admit to falling for a phishing attack a second time.


By using these five email checkpoints, you will be more equipped to decipher a phishing email. However, some phishing attacks are so sophisticated that they can even fool the savviest of users. The good news is that there are technology solutions, such as two-factor authentication, that can help, and we strongly recommend 2FA