This 14-year old found Apple's FaceTime bug before it went viral

A newly discovered bug in Apple's FaceTime software lets Apple users listen in on the people they are calling, and even see through their front-facing camera, without them picking-up the call. CNN's Christine Romans explains.

Posted: Jan 30, 2019 7:35 AM
Updated: Jan 30, 2019 7:35 AM


Fourteen-year old Grant Thompson was just trying to play video games with friends on a day off from school when he made an alarming discovery: a bug in Apple's FaceTime tool that could turn iPhones into eavesdropping devices.

On Monday, more than a week later, Apple disabled its Group FaceTime feature after other users detected the bug and posted videos of it in action on social media.

Apple told CNN Business in a statement it identified a fix for the issue and plans to roll out a software update later this the week.

In the nine days between Grant discovering the bug and Apple publicly addressing it, Grant's mom, Michele Thompson, said she tried everything she could think of to get Apple's attention. She emailed, called, tweeted at CEO Tim Cook and even faxed a letter on her law firm's letterhead.

An attorney in Tucson, Arizona, she wanted to to make sure Apple fixed the problem before it fell "into the wrong hands."

On January 20, she posted about the issue on Facebook and Twitter: "My teen found a major security flaw in Apple's new iOS. He can listen in to your iPhone/iPad without your approval. I have video. Submitted bug report to @AppleSupport...waiting to hear back to provide details. Scary stuff! "

She was careful not to share too many details on social media, so people wouldn't know how to recreate it.

On Friday, Grant's mother emailed a bug report and a video to a representative in Apple's Product Security department. Thompson hadn't heard back before the bug's discovery blew up on social media.

"It's exhausting and exasperating," Michele Thompson said of the reporting process. "It's very poorly set up especially for the average citizen. I feel like I went above and beyond."

Her son discovered the glitch when he FaceTimed a friend who didn't pick up. He swiped up on his iPhone to add a friends to the Group chat, a feature that until it was disabled worked on iPhones and iPads running iOS 12.1, and Apple PCs running macOS Mojave.

Grant realized he could hear everything coming through the first friend's iPhone, even though that person hadn't answered. The friends immediately tried to recreate what happened. In some cases, users said, the bug could even access a recipient's camera.

"We tested a few more times and found out we could get people to force answer FaceTime calls," Grant Thompson told CNN Business. "After we confirmed that it worked, I went and told my mom."

A freshman in high school, Grant told CNN Business he's "pretty into technology and stuff," and thinks it would be cool if Apple acknowledged his find.

Like many tech companies, Apple has a bug bounty program that offers financial rewards for some discoveries. The program, launched in 2016, pays up to $200,000 for detecting bugs, but some third-party companies will offer more.

Bug reports go through Apple's developer site, but the company told Thompson non-developers can use it. However, most companies don't have a public-facing way to report these types of bugs.

"Apple has a clear reporting channel, and even pays rewards for certain bugs -- a.k.a. bug bounties -- but these channels are likely only obvious if you're in the security industry and already know where to go to report. [It's] not so clear for consumers," Katie Moussouris, the CEO of Luta Security, which helps companies and governments work with hackers, said in an email. "Except in this case, the customer support team and the social media team (and whoever got that fax) didn't quite know how to remove obstacles and friction from the reporting process."

It's important for companies and government agencies to have a public-facing way to report bugs, according to Marten Mickos, CEO of HackerOne, a cybersecurity firm that connects security researchers with companies.

"Even if millions of people find nothing to report, and thousands may report something that isn't really a bug, it still is worth it when just one person finds and can describe the bug," Mickos said.

Apple did not respond to a request for comment about the Thompsons' bug report or if other users flagged the issue.

"Even if the bug had gotten to the right people on day one after discovery, under normal operations, the investigation alone might take a few days or longer for complex issues, let alone creating and testing a fix," said Moussouris.

Mickos said giving rewards serves a good purpose, such as setting a good example for everyone else and showing the company values cybersecurity, he said.

After detecting the bug, Grant told his mom he was hoping to get a MacBook Pro, an iPhone X and some AirPods as a reward for spotting the bug. Although she said they didn't report the issue for a reward, she believes Apple should acknowledge her son.

"Apple should reward people for reporting things of this nature -- not just reward the developers or the people who are savvy with tech," said Thompson. "I think just thanking him would be great," she said.

Mississippi Coronavirus Cases

Data is updated nightly.

Cases: 343505

Reported Deaths: 7543
CountyCasesDeaths
Hinds23932444
DeSoto23229283
Harrison20527329
Rankin15411291
Jackson15232252
Madison10959227
Lee10719179
Jones9047169
Forrest8723159
Lauderdale7884244
Lowndes7054151
Lamar702989
Lafayette6548124
Washington5595139
Pearl River5196152
Bolivar4954134
Oktibbeha494398
Panola4771112
Warren4728128
Marshall4701106
Pontotoc447773
Union433279
Monroe4330137
Neshoba4281181
Hancock428088
Lincoln4176116
Pike3667113
Leflore3627125
Tate353388
Alcorn350974
Sunflower347694
Scott341176
Adams340988
Yazoo339376
Copiah324968
Simpson322891
Itawamba314680
Coahoma314085
Tippah306568
Prentiss298863
Covington293484
Leake285475
Marion284181
Wayne277543
George272251
Grenada269488
Newton262364
Tishomingo239770
Winston236784
Jasper230648
Stone229637
Attala226373
Chickasaw219060
Holmes200174
Clay197654
Clarke186880
Tallahatchie183742
Calhoun181332
Smith179235
Yalobusha171540
Walthall145748
Lawrence142826
Greene140134
Amite137543
Noxubee135235
Perry133538
Montgomery133044
Carroll126431
Webster121232
Jefferson Davis116734
Tunica114227
Benton106725
Claiborne105331
Kemper102429
Humphreys100133
Franklin87923
Quitman84719
Choctaw82619
Wilkinson78032
Jefferson71328
Sharkey51618
Issaquena1736
Unassigned00

Alabama Coronavirus Cases

Cases: 587405

Reported Deaths: 11536
CountyCasesDeaths
Jefferson853851591
Mobile48932864
Madison37517533
Shelby27280257
Tuscaloosa27171465
Montgomery26172627
Baldwin25399329
Lee17224181
Calhoun15401334
Morgan15170291
Etowah14954370
Marshall13116235
Houston12077293
Elmore10915219
St. Clair10763252
Limestone10725158
Cullman10546205
Lauderdale10255254
DeKalb9508192
Talladega8949188
Walker7793288
Autauga7563114
Jackson7400117
Blount7362139
Colbert6703142
Coffee6365132
Dale5650117
Russell480243
Chilton4771117
Covington4749125
Franklin458181
Tallapoosa4519156
Escambia441383
Chambers3949125
Dallas3743163
Clarke371263
Marion3463107
Pike332579
Lawrence3263100
Winston298773
Bibb290465
Geneva283983
Marengo262467
Barbour250961
Pickens245562
Butler240872
Hale235578
Fayette227065
Henry213945
Monroe202141
Randolph201144
Cherokee199248
Washington185239
Macon170552
Crenshaw168358
Clay166259
Cleburne161345
Lamar151038
Lowndes145455
Wilcox132331
Bullock126542
Conecuh121332
Coosa118329
Perry110528
Sumter110333
Greene99137
Choctaw64425
Out of AL00
Unassigned00
Tupelo
Mostly Cloudy
80° wxIcon
Hi: 81° Lo: 71°
Feels Like: 83°
Columbus
Mostly Cloudy
75° wxIcon
Hi: 78° Lo: 72°
Feels Like: 75°
Oxford
Partly Cloudy
81° wxIcon
Hi: 81° Lo: 70°
Feels Like: 83°
Starkville
Mostly Cloudy
75° wxIcon
Hi: 77° Lo: 71°
Feels Like: 75°
The heat wave that controlled our area over the past several days is now behind us. The forecast for the next week looks a bit cooler & less humid.
WTVA Radar
WTVA Temperatures
WTVA Severe Weather