By Benjamin Mayo for 9to5Mac
A significant bug has been discovered in FaceTime and is currently spreading virally over social media. The bug lets you call anyone with FaceTime, and immediately hear the audio coming from their phone — before the person on the other end has accepted or rejected the incoming call. Apple says the issue will be addressed in a software update “later this week”.
Naturally, this poses a pretty big privacy problem as you can essentially listen in on any iOS user, although it still rings like normal, so you can’t be 100% covert about it. Nevertheless, there is no indication on the recipient’s side that you could hear any of their audio. There’s a second part to this which can expose video too.
9to5Mac has reproduced the FaceTime bug with an iPhone X calling an iPhone XR, but it is believed to affect any pair of iOS devices running iOS 12.1 or later.
The iPhone FaceTime bug could be reproduced by doing the following:
Start a FaceTime Video call with an iPhone contact.
Whilst the call is dialling, swipe up from the bottom of the screen and tap Add Person.
Add your own phone number in the Add Person screen.
You will then start a group FaceTime call including yourself and the audio of the person you originally called, even if they haven’t accepted the call yet.
It will look like in the UI like the other person has joined the group chat, but on their actual device it will still be ringing on the Lock screen.
Whilst the call is ringing, swipe up from the bottom of the screen and add yourself to the call.
The damage potential here is real. You can listen in to soundbites of any iPhone user’s ongoing conversation without them ever knowing that you could hear them. Until Apple fixes the bug, it’s not clear how to defend yourself against this attack either aside from disabling FaceTime altogether.
As it stands, if your phone is ringing with an incoming FaceTime request, the person on the other end could be listening in.
What we have also found is that if the person presses the Power button from the Lock screen, their video is also sent to the caller — unbeknownst to them. In this situation, the receiver can now hear your own audio, but they do not know they are transmitting their audio and video back to you. From their perspective, all they can see is accept and decline. (Another update: It seems there are other ways of triggering the video feed eavesdrop too.)
We have also replicated the problem with an iPhone calling a Mac. By default, the Mac rings for longer than a phone so it can act as a bug for an even longer duration.
Apple has taken Group FaceTime offline in an attempt to address the issue in the interim. They have said the issue will be fixed in a software update later in the week. Until then, if you are concerned, you should disable FaceTime in iOS Settings.
By Vikas Shukla for Value Walk
WhatsApp has a lot on its plate. It’s trying to fight the spread of fake news via its app. It’s working on a bunch of new features to make its service more secure and offer better user experience. At the same time, it also has to deal with weird bugs, hoax messages, and scams.
The ever-investigative folks at Piunikaweb have now spotted what could be a pretty rare WhatsApp bug. The worst thing about it is that it could let someone else read your chats in plain text after you have changed your phone number.
What does this rare WhatsApp bug do?
Amazon employee Abby Fuller said in a tweet that she was in for a bit of a surprise when she popped in her new SIM into a new smartphone and tried logging into WhatsApp. She was able to view and read the chat history linked to the WhatsApp account of the previous owner of that phone number. The past owner of the number may have no idea that Abby was able to read their chat in plain text.
WhatsApp says on its website that when you change your phone number, you should first delete your old account. If you don’t delete it and no longer have access to it, it will automatically delete all the data associated with your old number within 45 days. What’s surprising here is that Abby Fuller has been using the new number for more than 45 days. Theoretically, the data associated with the previous owner’s account should have been deleted within 45 days.
Piunikaweb says Abby Fuller has deleted the chats associated with the previous owner. It’s a huge privacy issue, nonetheless. The publication noted that it’s “definitely a bug” as Abby could view someone else’s chats in plain text when the SIM has been in her name for more than 45 days. Lending further credibility to this view is that Abby didn’t restore it from the backup.
Filippo Valsorda, who works at Google, said it’s possible that the messages Abby received were sent after the previous owner stopped using it. Those messages stayed with one tick, and got resent when Abby registered that phone number with WhatsApp. It’s the first time I’ve heard of this rare WhatsApp bug. The Facebook-owned service hasn’t yet officially commented on the issue.
Separately, a bunch of users have been complaining about another WhatsApp bug that causes the messages to disappear from the app. A user named Bharat Mishra told WABetaInfo that every morning he finds some of his old chats disappearing mysteriously from the app. Mishra uses a Moto G4 Plus, and has re-installed WhatsApp several times in an attempt to get rid of this issue. He has also sent “more than 25 emails” to WhatsApp regarding the issue, but hasn’t heard back. A similar problem was reported late last year by another user, who claimed to have been facing the same issue since April.
If you are not haunted by one WhatsApp bug or another, you might be interested in the new features coming to the messaging service. Past reports have suggested that the company was working on adding Face ID and Touch ID support to WhatsApp for iOS to enhance security. It’s still in the development process. Now WABetaInfo reports that the WhatsApp beta version numbered Android 2.19.3 has biometric authentication for Android users. It means we should expect both the Android and iOS version of WhatsApp to get biometric authentication in the coming months for added security.
By Peter Bright for ARS Technica
Last week, Microsoft started distributing the Windows 10 October 2018 Update, version 1809, to Windows users who manually checked for updates. The company has now halted that rollout after many reports that installing the update is causing serious data loss: specifically, deleting the Documents, and perhaps Pictures, folders. Microsoft is also advising anyone who has downloaded the update but not yet installed it to not install it at all.
The exact circumstances causing data loss aren’t clear; the handful of reports on Microsoft’s forums and Reddit don’t have any obvious commonalities, and people report seeing only one affected system among many when upgraded. There will need to be some amount of investigation before a fix can be developed.
This will be too late for anyone that’s suffered data loss; although file recovery/undelete tools might be able to salvage the deleted files, the only reliable way of recovering them is to restore from a backup.
A data-loss bug is bad. Data-loss bugs are the worst kind of bug that Microsoft could ship; for rarely backed-up home users, at least, they’re worse even than a security flaw—who needs hackers and malware to destroy your data when the operating system does it for you? This bug is sure to raise new doubts about Microsoft’s testing, pace of delivering updates, and dependence on the Insider Program to find and report such problems.
Making this worse is that the bug does appear to have been reported. Numerous reports in Feedback Hub, Microsoft’s bug-reporting tool for Windows 10, complain of data deletion after installing preview releases. None of the bug reports appears to have many upvotes, and the reports generally lack in detail. So just as with the more recent reports, they make it hard to pin down the root cause. But it’s obvious that, at the very least, something was going wrong and that it was important enough that it should have been investigated and addressed.
Compounding this issue is that Microsoft’s rollout of version 1809 was already unusual. For reasons unknown, Microsoft didn’t release this update to the Release Preview ring, so the most realistic installation scenario—someone going from version 1803 to 1809—didn’t receive much testing anyway. And all this is against the longer-term concern that Microsoft laid off many dedicated testers without really replacing the testing that those testers were doing.
Microsoft issues a fix
Microsoft has fixed a bug in its latest Windows 10 October 2018 update that deleted files en masse for some users.
The software giant was forced to pull the update over the weekend due to the data deletion issues.
Now, the update is back online, but Microsoft says it is only releasing it to members of the Windows Insider program before making it available to the general public.
Source: Business Day
Google is shutting down the consumer version of its online social network after fixing a bug exposing private data in as many as 500 000 accounts.
The US internet giant said it will “sunset” the Google+ social network for consumers. It failed to gain meaningful traction after being launched in 2011 as a challenge to Facebook.
A Google spokesperson cited “significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations” along with “very low usage”.
In March, a security audit revealed a software bug that gave third-party apps access to Google+ private profile data that people meant to share only with friends. Google said it was unable to confirm which accounts were affected by the bug, but an analysis indicated it could have been as many as 500 000 Google+ accounts.
“We found no evidence that any developer was aware of this bug … and we found no evidence that any profile data was misused,” Google said in a blog post.
The data involved was limited to optional profile fields, including name, age, gender, occupation and e-mail address, Google said. Information that could be accessed did not include posts, messages or telephone numbers.
Google did not specify how long the software flaw existed, or why it waited to disclose it.
The Wall Street Journal reported that Google executives opted against notifying users earlier because of fears it would catch the attention of regulators.
Google will wind down Google+ during the coming 10 months to allow people time to download pictures, videos or other data they want from their accounts. It plans to add new workplace-orientated features to enhance the appeal of Google+ as a “secure corporate social network” to be used inside business operations.
“We have many enterprise customers who are finding great value in using Google+ within their companies,” the firm said.
“Our review showed that Google+ is better suited as an enterprise product where co-workers can engage in internal discussions.”
Vodacom is reimbursing subscribers who were affected by a billing issue on Monday night, the operator said on Twitter.
Customers took to social media last night, causing Vodacom to trend on Twitter, to complain about disappearing airtime and data.
Those affected by the billing bug complained about missing data and airtime depleting for no apparent reason.
Vodacom has committed to ensure that all affected customers will be refunded in full. On Tuesday morning, the mobile network said it had begun the process.
Vodacom said that all out-of-bundle charges incurred during the incident are being refunded, and that depleted bundles are being reinstated.
The technical glitch that drained data bundles from numerous customers was sparked by a configuration change to the network’s billing system.
Vodacom told Fin24 that the incident had been the first of its kind.
“The issue was caused by a configuration change on our prepaid and top up billing system that was problematic. We were able to isolate the cause and roll back this process during the course of last night (Monday),” Vodacom spokesperson Byron Kennedy told Fin24 on Tuesday.
Kennedy said Vodacom had already reimbursed customers affected by the billing issue. All out-of-bundle charges incurred during the incident are being refunded, and depleted bundles are being reinstated.
“We are committed to ensuring that all customers are refunded in full,” Kennedy says.
Any customer who has not been reimbursed for their data loss should contact the call centre on 111, Vodacom said. The network would then conduct a short investigation to verify the amount of lost data, before refunding the user.
By Jan Vermeulen for MyBroadband; Kyle Venktess for Fin24