This 14-year old found Apple's FaceTime bug before it went viral

A newly discovered bug in Apple's FaceTime software lets Apple users listen in on the people they are calling, and even see through their front-facing camera, without them picking-up the call. CNN's Christine Romans explains.

Posted: Jan 30, 2019 8:35 AM


Fourteen-year old Grant Thompson was just trying to play video games with friends on a day off from school when he made an alarming discovery: a bug in Apple's FaceTime tool that could turn iPhones into eavesdropping devices.

On Monday, more than a week later, Apple disabled its Group FaceTime feature after other users detected the bug and posted videos of it in action on social media.

Apple told CNN Business in a statement it identified a fix for the issue and plans to roll out a software update later this the week.

In the nine days between Grant discovering the bug and Apple publicly addressing it, Grant's mom, Michele Thompson, said she tried everything she could think of to get Apple's attention. She emailed, called, tweeted at CEO Tim Cook and even faxed a letter on her law firm's letterhead.

An attorney in Tucson, Arizona, she wanted to to make sure Apple fixed the problem before it fell "into the wrong hands."

On January 20, she posted about the issue on Facebook and Twitter: "My teen found a major security flaw in Apple's new iOS. He can listen in to your iPhone/iPad without your approval. I have video. Submitted bug report to @AppleSupport...waiting to hear back to provide details. Scary stuff! "

She was careful not to share too many details on social media, so people wouldn't know how to recreate it.

On Friday, Grant's mother emailed a bug report and a video to a representative in Apple's Product Security department. Thompson hadn't heard back before the bug's discovery blew up on social media.

"It's exhausting and exasperating," Michele Thompson said of the reporting process. "It's very poorly set up especially for the average citizen. I feel like I went above and beyond."

Her son discovered the glitch when he FaceTimed a friend who didn't pick up. He swiped up on his iPhone to add a friends to the Group chat, a feature that until it was disabled worked on iPhones and iPads running iOS 12.1, and Apple PCs running macOS Mojave.

Grant realized he could hear everything coming through the first friend's iPhone, even though that person hadn't answered. The friends immediately tried to recreate what happened. In some cases, users said, the bug could even access a recipient's camera.

"We tested a few more times and found out we could get people to force answer FaceTime calls," Grant Thompson told CNN Business. "After we confirmed that it worked, I went and told my mom."

A freshman in high school, Grant told CNN Business he's "pretty into technology and stuff," and thinks it would be cool if Apple acknowledged his find.

Like many tech companies, Apple has a bug bounty program that offers financial rewards for some discoveries. The program, launched in 2016, pays up to $200,000 for detecting bugs, but some third-party companies will offer more.

Bug reports go through Apple's developer site, but the company told Thompson non-developers can use it. However, most companies don't have a public-facing way to report these types of bugs.

"Apple has a clear reporting channel, and even pays rewards for certain bugs -- a.k.a. bug bounties -- but these channels are likely only obvious if you're in the security industry and already know where to go to report. [It's] not so clear for consumers," Katie Moussouris, the CEO of Luta Security, which helps companies and governments work with hackers, said in an email. "Except in this case, the customer support team and the social media team (and whoever got that fax) didn't quite know how to remove obstacles and friction from the reporting process."

It's important for companies and government agencies to have a public-facing way to report bugs, according to Marten Mickos, CEO of HackerOne, a cybersecurity firm that connects security researchers with companies.

"Even if millions of people find nothing to report, and thousands may report something that isn't really a bug, it still is worth it when just one person finds and can describe the bug," Mickos said.

Apple did not respond to a request for comment about the Thompsons' bug report or if other users flagged the issue.

"Even if the bug had gotten to the right people on day one after discovery, under normal operations, the investigation alone might take a few days or longer for complex issues, let alone creating and testing a fix," said Moussouris.

Mickos said giving rewards serves a good purpose, such as setting a good example for everyone else and showing the company values cybersecurity, he said.

After detecting the bug, Grant told his mom he was hoping to get a MacBook Pro, an iPhone X and some AirPods as a reward for spotting the bug. Although she said they didn't report the issue for a reward, she believes Apple should acknowledge her son.

"Apple should reward people for reporting things of this nature -- not just reward the developers or the people who are savvy with tech," said Thompson. "I think just thanking him would be great," she said.

West Lafayette
Broken Clouds
82° wxIcon
Hi: 82° Lo: 66°
Feels Like: 83°
Kokomo
Broken Clouds
79° wxIcon
Hi: 79° Lo: 64°
Feels Like: 81°
Rensselaer
Scattered Clouds
77° wxIcon
Hi: 79° Lo: 64°
Feels Like: 79°
Fowler
Scattered Clouds
77° wxIcon
Hi: 80° Lo: 64°
Feels Like: 79°
Williamsport
Overcast
80° wxIcon
Hi: 81° Lo: 65°
Feels Like: 82°
Crawfordsville
Broken Clouds
81° wxIcon
Hi: 81° Lo: 65°
Feels Like: 82°
Frankfort
Broken Clouds
81° wxIcon
Hi: 80° Lo: 64°
Feels Like: 82°
Delphi
79° wxIcon
Hi: 80° Lo: 65°
Feels Like: 81°
Monticello
79° wxIcon
Hi: 80° Lo: 64°
Feels Like: 81°
Logansport
Scattered Clouds
81° wxIcon
Hi: 78° Lo: 63°
Feels Like: 82°
Warm Day, Record Warm Night, Then Showers & Storms Friday
WLFI Radar
WLFI Temps
WLFI Planner

Indiana Coronavirus Cases

Data is updated nightly.

Confirmed Cases: 152396

Reported Deaths: 4023
CountyConfirmedDeaths
Marion24905785
Lake13380352
St. Joseph8985161
Elkhart8530132
Allen7978222
Hamilton6000113
Vanderburgh567560
Tippecanoe358714
Monroe322238
Hendricks3221130
Johnson3051128
Porter303648
Clark289161
Delaware284574
Vigo256038
Madison232493
Cass222822
LaPorte220958
Warrick190065
Kosciusko179224
Floyd177367
Howard160066
Bartholomew139758
Dubois136726
Marshall134226
Henry123429
Grant122639
Wayne122127
Boone119548
Hancock115645
Noble114633
Jackson109413
Morgan93040
Dearborn92828
Daviess85333
Gibson84911
Clinton82916
Lawrence82634
Shelby80330
LaGrange77715
Harrison74824
Knox72110
Putnam71616
DeKalb69911
Posey6896
Fayette61417
Steuben6118
Miami5875
Montgomery57822
Jasper5744
White57215
Greene52137
Scott51013
Decatur49939
Adams4815
Whitley4426
Clay4396
Sullivan42913
Ripley4278
Wells4205
Wabash4029
Starke3977
Orange38825
Huntington3805
Spencer3746
Franklin36625
Washington3632
Jennings36013
Fulton3472
Randolph3439
Jefferson3305
Pike32915
Carroll31713
Perry29714
Jay2946
Fountain2883
Tipton27023
Vermillion2251
Newton22211
Parke2223
Rush2084
Owen2031
Blackford1983
Martin1960
Crawford1531
Pulaski1481
Brown1303
Ohio1247
Benton1080
Union1060
Switzerland900
Warren761
Unassigned0233

COVID-19 Important links and resources

As the spread of COVID-19, or as it's more commonly known as the coronavirus continues, this page will serve as your one-stop for the resources you need to stay informed and to keep you and your family safe. CLICK HERE

Closings related to the prevention of the COVID-19 can be found on our Closings page.

Community Events