Yesterday, a worrying and invasive bug that allowed callers to secretly listen in on unknowing recipients through Apple’s FaceTime app quickly made news headlines. It was discovered that people could initiate a FaceTime call and, with a couple short steps, tap into the microphone on the other end as the call rang — without the other person accepting the FaceTime request. Apple said last night that an iOS update to eliminate the privacy bug is coming this week; in the meantime, the company took the step of disabling group FaceTime at the server level as an immediate emergency fix. However, new information suggests that Apple has already had several days to respond; the company was tipped off about it last week.
Back on January 20th, a Twitter user tweeted at Apple’s support account clearly outlining the gist of the FaceTime bug: “My teen found a major security flaw in Apple’s new iOS. He can listen in to your iPhone/iPad without your approval.” The parent’s teenager had discovered the problem one day prior on January 19th, according to tech entrepreneur John Meyer, who has been in contact with them. CNET has identified the tipster as Michele Thompson, whose 14-year-old son first encountered the flaw while setting up a group FaceTime call with friends to coordinate strategy during a game of Fortnite.
Quick facts from my call with the 14 year old’s mom:— John H. Meyer (@BEASTMODE) January 29, 2019
- Yes, a 14 year old discovered this bug. He did so "around" Saturday, 1/19
- Mother is a local lawyer in AZ and sent a formal notice to Apple on 1/25
- That formal notice the mom sent to Apple on 1/25 is attached pic.twitter.com/RMbXp3huab
FaceTime wasn’t mentioned in the tweet, but it’s still something that would seem worth looking into. Thompson’s warning has now received a lot of attention, but it could’ve flown under the radar for Apple’s customer service / social media team at the time. There was no direct reply from Apple, but the tweet said a bug report had been filed.
In fact, through subsequent tweets, Thompson claimed that she made multiple attempts to reach Apple and inform the company of the issue. An email dated January 22nd warned of “a major privacy and security flaw.” Another image seemingly confirms that Thompson eventually emailed firstname.lastname@example.org, which is exactly what the company says should be done in this kind of urgent situation.
Here is another example of the mother reaching out to Apple again over email on Jan 22, after being ignored repeatedly leading up to 1/22. pic.twitter.com/aN52VqWewv— John H. Meyer (@BEASTMODE) January 29, 2019
The emails emphasized the bug’s significance, calling it “a huge issue” that Thompson had personally verified. Without revealing the necessary steps to exploit the bug in that email — she had questions regarding Apple’s bug bounty program and wondered if her son might receive a monetary reward for discovering it — Thompson asked Apple to get in touch immediately so that a fix could be quickly developed.
But no response came, leading her to both email and fax a formal document to Apple on January 25th. Here, the full bug is laid out in detail, and the message — titled Urgent Security Issue Regarding iOS 12.1.3 — contained an unlisted YouTube link to a video that demonstrated the FaceTime issue. “My fear is that this flaw could be used for nefarious purposes,” Thompson wrote. “At this point, I will not release this information to anyone until I hear back from you.”
VIDEO: Here is a video, recorded & sent to Apple by a 14 yr old & his mom, on JAN 23rd, alerting them to the dangerous #FaceTime bug, that has threatened the privacy of millions. I've removed sensitive / private info on behalf of the mother (an attorney), whom I just spoke to. pic.twitter.com/YIBKXEP3mI— John H. Meyer (@BEASTMODE) January 29, 2019
At some point, Apple did indeed apparently respond, but instructed her to go through the process of filing a bug report.
Here is the mom’s official bug report to Apple. Note that the mom self-describes as “not at all techy” and was baffled that Apple Support asked her, an average citizen, to sign up for an Apple developer account to then submit an official bug report, in order to be taken seriously pic.twitter.com/PWdrsych5t— John H. Meyer (@BEASTMODE) January 29, 2019
If Apple became aware of the FaceTime exploit before it was widely publicized yesterday, the company did not take any immediate actions to block consumers from being vulnerable to it. The Verge was able to verify the eavesdropping capability firsthand before Apple shut down group FaceTime as a quick fix. It might have already been investigating the situation when the news broke, however. The company has not commented on the bug beyond yesterday’s statement about an iOS update coming in the next few days.
Update January 29th 2:45PM ET: The article has been updated with more details about the person who reported the FaceTime bug to Apple.