X

Apple's FaceTime bug was discovered by a teen playing Fortnite

The boy's mother says she tried warning Apple about the flaw for over a week.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
apple-wwdc-2018-1171

Apple Senior VP of Software Engineering Craig Federighi talks up Group FaceTime.

James Martin/CNET

Before the world learned about Apple's FaceTime bug, a 14-year-old Arizona boy first discovered it, while playing a game of Fortnite with friends.

On Jan. 19, Michele Thompson's son started a group FaceTime call with his buddies, so they could talk while playing the online game. He added a friend and was able to listen to conversations through the friend's phone, even though the friend hadn't yet answered the call.

He first reported the bug to his mother, a lawyer, who says she spent the last week, before the bug became widely known, trying to warn Apple.

Apple users were vulnerable to a major security hole that essentially turned any device with Group FaceTime, including iPhones, iPads and Macs, into a listening device. The bug first became public knowledge on Monday, prompting Apple to temporarily disable the Group FaceTime feature.

The company introduced Group FaceTime in late October with iOS 12.1. Apple said it would be releasing a patch for the security flaw this week.

Once he'd stumbled across the FaceTime vulnerability, the teen repeated the circumstances multiple times to make sure the bug was for real; then he showed his mother. Thompson said she was skeptical at first but became convinced after replicating the flaw herself several times. That's when she began trying to warn Apple.

Thompson said her efforts included multiple tweets, Facebook messages, emails to Apple and calls to the support line over the last week. On Jan. 22, she also sent the company's general counsel a fax about the bug, with her law firm's letterhead on top. And on Jan. 25 she uploaded a video to YouTube, demonstrating the flaw, and sent it to Apple multiple times.

"I tried my best to report it to them, and they didn't listen," Thompson said.

The company didn't respond to CNET's request for comment.

At one point, Thompson said, she even tweeted at Apple CEO Tim Cook, warning that this would go public soon if Apple didn't respond quickly. She said she felt bad about the tweet, and deleted it shortly after.

She found the process of reporting the bug to Apple "exhausting and exasperating," even as an attorney who's experienced in filing legal documents on a daily basis.

It's often difficult for the general public to report security bugs, said Marten Mickos, CEO of bug bounty platform HackerOne. But that's slowly been shifting.

"The noise of the crowd is absolutely worth it when you actually WILL find the needle in the haystack," Mickos said in a statement.

An Apple representative told Thompson over the phone that she'd need to register as a developer to report the bug to the company (Apple has its own bug bounty program). Thompson did that, eventually hearing back from the company on Jan. 23. But she says she didn't get any indication that Apple was going to fix the flaw.

"It's extremely difficult for a citizen to report this and then get it noticed," Thompson said. "I'm sure they get a lot of fake reports, but it's frustrating because there is no clear way to report this issue."

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Everything about Fortnite: What you need to know about the hit game.