Apple has disabled the group chat feature in its FaceTime video calling app after a bug was discovered that allows callers to remotely turn on the microphones on the recipients’ devices.
The issue was disclosed on social media and word about it spread rapidly. It works by initiating a FaceTime video call to a contact and, while it’s dialing, swipe to add another person to the call, but instead add your number.
This will start a group FaceTime call, but because of the bug, the recipient’s microphone will be turned on automatically even if they don’t answer. However, the caller will be placed in a group chat where they can hear the conversations or sounds in the recipient’s surroundings.
In essence, every time a user receives an incoming FaceTime call, the person at the other end could be eavesdropping. Even worse, if the recipient presses the power button to mute the incoming call, the front-facing camera also gets activated without them knowing.
Apple has not yet released an official statement, but the company’s System Status page now lists Group FaceTime as temporarily unavailable. It was probably turned off to prevent abuse until this issue is fixed.
“FaceTime calls are easily scripted, and many kiosks and other static applications of iOS devices (think airports, for example) likely have FaceTime-enabled by default,” said Casey Ellis, founder and CTO at Bugcrowd, via email. “My main concern now is that the fix for the issue is client-side, and clients won’t be updated and will remain vulnerable. The idea of sitting at Newark Airport and having the food-ordering kiosk (which is an iPad) watching as I eat is both a real risk, and creepy.”
Ellis also expressed concern that this bug could be used to spy on kids, especially since they typically don’t answer their phones immediately. Malicious hackers are not very likely to exploit the bug, because the caller needs to be in the victim’s contact list. However, the exploit could be used in pranks and could result in serious privacy violations.
“Even though Apple has gone through great strides to protect their user’s information, this latest bug is yet another reinforcement that privacy continues to remain a major concern regardless of your company’s size or security and privacy investments,” said George Gerchow, CSO of SumoLogic. “It’s also another reminder that nobody’s data is 100 percent safe and that it’s all of our responsibility to be more diligent in protecting the privacy of our customers’ sensitive information against future vulnerabilities.”
Exchange Vulnerability Allows Admin Access from Regular Account
Microsoft Exchange servers are vulnerable to an attack that could allow hackers to gain Domain Admin privileges after gaining control over a single mailbox.
The issue was found and disclosed by Dirk-jan Mollema, a researcher with Fox-IT, and is a combination of several factors: the high privileges by default in Exchange servers, NTLM authentication being vulnerable to relay attacks and a feature that allows attackers to force an Exchange server to authenticate to a remote server with the computer account of the Exchange server.
“Recently I came across a blog from the ZDI, in which they detail a way to let Exchange authenticate to attackers using NTLM over HTTP,” Mollema said in a blog post. “This can be combined with an NTLM relay attack to escalate from any user with a mailbox to Domain Admin in probably 90% of the organisations I’ve seen that use Exchange. This attack is possible by default and while no patches are available at the point of writing, there are mitigations that can be applied to prevent this privilege escalation.”
The default privileges and the relay attacks were known problems, but it looks like the technique of forcing a server to authenticate back to an attacker was the missing link needed to put the attack chain together.
Mollema released a proof-of-concept tool called “PrivExchange” and included several recommendations in his blog post that could help mitigate the attack. Since the problem stems from design decisions, it’s not going to be easy to fix.