Teenager and mom tried to warn Apple of FaceTime bug
Woman said it was frustrating trying to get its attention
An Arizona teenager and his mother spent more than a week trying to warn Apple Inc. of a bug in its FaceTime video-chat software before news of the glitch—which allows one FaceTime user calling another in a group chat to listen in while the recipient’s Apple device is still ringing—blew up on social media Monday.
In the days following their discovery, the pair posted on Twitter and Facebook, called and faxed Apple, and learned they needed a developer account to report the bug. They eventually traded a few emails, viewed by The Wall Street Journal, with Apple’s security team.
But it wasn’t until word of the bug started spreading more widely on social media that Apple disabled the software feature at the heart of the issue.
Michele Thompson said her 14-yearold son, Grant, discovered the issue Jan. 20. She said it was frustrating trying to get the attention of one of the world’s largest technology companies,
“Short of smoke signals, I was trying every method that someone could use to get a hold of someone at Apple,” said Ms. Thompson, 43, who lives with her son in Tucson.
The bug, revealed while Apple is touting its commitment to user privacy to distinguish itself from other big tech companies, affects FaceTime software running on iPhones, iPads and Mac
computers. It isn’t clear when the glitch originated, though it affects a multiperson video-chat function called Group FaceTime that Apple launched in October 2018. On Monday, New York Governor Andrew Cuomo took the unusual step of issuing a consumer alert on the issue. “The FaceTime bug is an egregious breach of privacy that puts New Yorkers at risk,” he said in a statement.
Apple disabled the Group FaceTime feature late Monday. A spokeswoman said late Monday Apple was aware of the issue and expected to release a software fix this week.
Informed of Ms. Thompson’s claims Tuesday morning, the spokeswoman declined to comment further.
Grant, a high-school freshman, was setting up a FaceTime chat with friends ahead of a “Fortnite” videogame-playing session when he stumbled on the bug. Using FaceTime, Mr. Thompson found that as he added new members to his group chat, he could hear audio from other participants, even if they hadn’t answered his request to join the chat.
He was surprised. That gave him a way of listening in on people without their consent while calls were ringing, a period that typically lasts less than a minute.
Grant did what any responsible teenage security researcher would do: He went to mom. “I was interested to see if we could report to Apple,” Grant said.
Starting Sunday of last week, Ms. Thompson posted Twitter and Facebook messages she hoped would be seen by Apple’s social-media or support team. She followed with a now-deleted Twitter message to Apple Chief Exec- utive Tim Cook. But Tuesday, she had faxed and phoned the company directly.
Ms. Thompson finally spoke with an Apple support representative that day about the bug. “He called me back and he really had no information,” she said. “He said there’s really nothing I could do. You have to register as a developer and submit it.”
Apple’s Bug Reporter program requires a person to sign in with an Apple ID and a developer account, according to the company’s website.
Ms. Thompson, who is an attorney, registered herself as an Apple developer to participate in the program. Since 2016, Apple has paid out cash bounties to researchers who discover significant bugs. Ms. Thompson hoped she might secure a payout for her son, she said.
While companies are increasingly adding bug-bounty programs, they aren’t always integrating them with their social media and support teams, said Katie Moussouris, CEO of Luta Security Inc., which advises companies on such pro- grams. “Apple has a good reputation for having solid engineering, but that doesn’t mean that the intake process is completely worked out,” she said.
According to emails viewed by the Journal, Ms. Thompson heard back from Apple’s security team on Wednesday, Jan. 23. At around 11:15 p.m. on Friday, she emailed them a description of the issue, along with a link to a YouTube video in which she and her son demonstrated how to exploit the bug.
Late Monday, Apple disabled the group chat function in FaceTime after news of the bug was made public on social media. Security experts recommend disabling FaceTime until Apple issues a patch; the company expects to issue one later this week.
Ms. Thompson said she doesn’t know how the bug was made public.
She isn’t sure whether she or Grant will get a bounty or even a thank-you note from Apple for their efforts. “It’s just hard for the average citizen to report anything,” she said.