Apple was warned about alarming FaceTime eavesdropping bug last week

By Chris Welch

Photo by Dan Seifert / The Verge

Yesterday, a worrying and invasive bug that allowed callers to secretly listen in on unknowing recipients through Apple’s FaceTime app quickly made news headlines. It was discovered that people could initiate a FaceTime call and, with a couple short steps, tap into the microphone on the other end as the call rang — without the other person accepting the FaceTime request. Apple said last night that an iOS update to eliminate the privacy bug is coming this week; in the meantime, the company took the step of disabling group FaceTime at the server level as an immediate emergency fix. However, new information suggests that Apple has already had several days to respond; the company was tipped off about it last week.

Back on January 20th, a Twitter user tweeted at Apple’s support account clearly outlining the gist of the FaceTime bug: “My teen found a major security flaw in Apple’s new iOS. He can listen in to your iPhone/iPad without your approval.” The parent’s teenager had discovered the problem one day prior on January 19th, according to tech entrepreneur John Meyer, who has been in contact with them. CNET has identified the tipster as Michele Thompson, whose 14-year-old son first encountered the flaw while setting up a group FaceTime call with friends to coordinate strategy during a game of Fortnite.

FaceTime wasn’t mentioned in the tweet, but it’s still something that would seem worth looking into. Thompson’s warning has now received a lot of attention, but it could’ve flown under the radar for Apple’s customer service / social media team at the time. There was no direct reply from Apple, but the tweet said a bug report had been filed.

In fact, through subsequent tweets, Thompson claimed that she made multiple attempts to reach Apple and inform the company of the issue. An email dated January 22nd warned of “a major privacy and security flaw.” Another image seemingly confirms that Thompson eventually emailed product-security@apple.com, which is exactly what the company says should be done in this kind of urgent situation.

The emails emphasized the bug’s significance, calling it “a huge issue” that Thompson had personally verified. Without revealing the necessary steps to exploit the bug in that email — she had questions regarding Apple’s bug bounty program and wondered if her son might receive a monetary reward for discovering it — Thompson asked Apple to get in touch immediately so that a fix could be quickly developed.

But no response came, leading her to both email and fax a formal document to Apple on January 25th. Here, the full bug is laid out in detail, and the message — titled Urgent Security Issue Regarding iOS 12.1.3 — contained an unlisted YouTube link to a video that demonstrated the FaceTime issue. “My fear is that this flaw could be used for nefarious purposes,” Thompson wrote. “At this point, I will not release this information to anyone until I hear back from you.”

At some point, Apple did indeed apparently respond, but instructed her to go through the process of filing a bug report.

If Apple became aware of the FaceTime exploit before it was widely publicized yesterday, the company did not take any immediate actions to block consumers from being vulnerable to it. The Verge was able to verify the eavesdropping capability firsthand before Apple shut down group FaceTime as a quick fix. It might have already been investigating the situation when the news broke, however. The company has not commented on the bug beyond yesterday’s statement about an iOS update coming in the next few days.

Update January 29th 2:45PM ET: The article has been updated with more details about the person who reported the FaceTime bug to Apple.