FaceTime Bug an AppSec Fail

Network Computing Dark Reading

Advertise

About Us

Newest First | Oldest First | Threaded View

[close this box]

50%

BradleyRoss,
User Rank: Moderator
2/4/2019 | 3:48:40 PM

Reporting security problems to Apple

The address for sending information on security problems at Apple is apparently [email protected] However, I also sent them a message about a probable fix for a problem and received no response. After a few attempts at escalation of the issue, I finally received a message that they couldn't talk about such issues. However, I found the language in the communications from the product security group disturbing in that it appeared to be the type of double-talk encountered from people who didn't want to deal with the problem or admit that the problem existed. I appreciate the need for deception in product security, but it seemed that they lacked sufficient skill and knowledge to successfully deceive.

I find the idea this is a problem in testing under AppSec simplistic and dangerous. It is simplistic because problems like this usually represent errors by multiple persons in the software development life cycle, frequently over a period of years. It is dangerous because testing is of limited use in finding problems unless the software is designed in a way that supports testing.

Designing the software to support testing first requires a design with sufficient documentation to design tests. A problem of this type does not indicate a problem in testing, but a problem with the design methodology not providing enough information to develop the tests.

Reply | Post Message | Messages List | Start a Board

100%

BROWN1808,
User Rank: Apprentice
1/31/2019 | 11:43:12 AM

Apple Face Time Bug

The other issue that is very frustrating is reaching someone actually involved with the company to report this or any issue to, not a machine or a group of supporters helping Apple out by solving their problems for them. That aspect should have been commented on more thoroughly.

Reply | Post Message | Messages List | Start a Board

Editors' Choice

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry

David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP, 7/9/2021

Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours

Robert Lemos, Contributing Writer, 7/7/2021

It's in the Game (but It Shouldn't Be)

Tal Memran, Cybersecurity Expert, CYE, 7/9/2021

Live Events

Webinars

Dark Reading Virtual Event - November 17 - Learn More

Black Hat Europe 2021 - November 8-11 - Learn More

SecTor - Canada's IT Security Conference Oct 30-Nov 4 - Learn More

More Informa Tech Live Events

White Papers

The State of Cloud

Zero Trust and the Power of Isolation for Threat Prevention

Digital Transformation and Data Security

The Transition to Empowered Enterprise Authentication

Run and Transform

More White Papers

Cartoon

Latest Comment: I've heard of people walking right out the front door with entire servers...

Cartoon Archive

Current Issue

How Enterprises are Attacking the Cybersecurity Problem

Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

Incident Readiness and Building Response Playbook

In this special report, learn the Xs and Os of any good security incident readiness and response playbook.

Download Now!

Battle for the Endpoint

0 comments

How Enterprises are Developing Secure Applications

0 comments

Assessing Cybersecurity Risk in Today's Enterprises

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2021-41154
PUBLISHED: 2021-10-18

Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions an attacker with read access to a "SVN core" repository could execute arbitrary SQL queries. The following versions contain the fix: Tuleap Community Edition 11.1...

CVE-2021-41155
PUBLISHED: 2021-10-18

Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions Tuleap does not sanitize properly user inputs when constructing the SQL query to browse and search revisions in the CVS repositories. The following versions contain the fix...

CVE-2021-41152
PUBLISHED: 2021-10-18

OpenOlat is a web-based e-learning platform for teaching, learning, assessment and communication, an LMS, a learning management system. In affected versions by manipulating the HTTP request an attacker can modify the path of a requested file download in the folder component to point to anywhere on t...

CVE-2021-41153
PUBLISHED: 2021-10-18

The evm crate is a pure Rust implementation of Ethereum Virtual Machine. In `evm` crate `< 0.31.0`, `JUMPI` opcode's condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check. Thi...

CVE-2021-41156
PUBLISHED: 2021-10-18

anuko/timetracker is an, open source time tracking system. In affected versions Time Tracker uses browser_today hidden control on a few pages to collect the today's date from user browsers. Because of not checking this parameter for sanity in versions prior to 1.19.30.5601, it was possible to craft ...

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]