The Apple Group FaceTime Bug Was Found By A Teen & He Might Be Eligible For A Bug Bounty
An update on the Apple FaceTime glitch situation that emerged last week: The Group FaceTime bug was found by a teen, who may now be eligible for a “bug bounty” from Apple — a payout that compensates those who find and report vulnerabilities in Apple products. The glitch allowed others to eavesdrop on users though an issue in the Group FaceTime feature, whether or not those users had actually answered a Group FaceTime call; it was discovered by 14-year-old Grant Thompson of Tucson, Ariz. Teens: Saving the world and protecting us from ourselves, because at this point, adults just can’t be trusted to do it.
Apple disabled the Group FaceTime feature for all users last week. “We’re aware of this issue and we have identified a fix that will be released in a software update later this week,” a representative for the company said in a statement provided to Bustle at the time. In an updated statement released to numerous news outlets on Friday, Apple noted that they have “fixed the Group FaceTime security bug on Apple’s servers,” as well as that they “will issue a software update to re-enable the feature for users next week.” The company also publicly thanked the Thompson family for reporting the issue.
According to Grant, who made an appearance on CNBC’s Squawk Box on Monday morning, he discovered the bug by accident on Jan. 19 while attempting to get in touch with some friends to arrange a round of Fortnite. He started by calling one friend via FaceTime, who didn’t pick up immediately; so, while the line was still ringing, he went ahead and swiped up in order to add a second friend to the call. When that friend picked up, they realized they could hear everything going on around the first friend’s phone, even though that initial call had never been picked up.
Said Apple in a statement issued last Friday, “We have fixed the Group FaceTime security bug on Apple’s servers and we will issue a software update to re-enable the feature for users next week. We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process.”
Apple originally announced its bug bounty program, which provides payouts of up to $200,000 for researchers who uncover and report vulnerabilities to the company, in 2016, although the invite-only initiative took some time to get off the ground. These days, anyone can report bugs to Apple as long as they’re registered as a developer; all you have to do is head to the Apple Bug Reporter tool and log in with the Apple ID connected to your developer account to submit a bug report.
That’s exactly what Grant’s mom did on his behalf, according to PCMag. Michele Thompson started by calling Apple Support, where a rep told her how to go about submitting an issue to the Apple Bug Reporter; she also took to Twitter, tweeting at both Apple and various news outlet in an attempt to get word out. Meanwhile, the Apple-focused tech site 9to5Mac picked up the story on Jan. 28, at which point knowledge about the bug spread rapidly across the internet.
(According to NBC News via CNBC, Benjamin Mayo, the writer who initially covered the bug for 9to5Mac, saw Michele’s tweets after his story had been published, but she didn’t contribute anything to his reporting.)
Apple said in last Friday’s statement, “We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix. We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible. We take the security of our products extremely seriously and we are committed to continuing to earn the trust Apple customers place in us.”
After news of the bug went viral, Michele told CNBC, Apple reached out to the Thompsons. An executive flew to Tucson to meet them on Friday to thank them and ask for feedback on the bug report system. During this meeting, said Michele, it was apparently also “indicated that Grant would be eligible for the bug bounty program”; they were old that Apple’s “security team” would follow up with them to discuss the matter.
Specific bug bounty payout amounts aren’t currently listed on the Apple Bug Reporter website, but at the time of the bug bounty program’s launch, compensation for those who identified and reported bugs ranged from $25,000 to $200,000, according to TechCrunch. For a teenager, that kind of money can go a long way as an investment for the future. As Michele told CNBC, “If [Grant] got some kind of bug bounty for what he found, we’d certainly put it to good use for his college because I think he’s going to go far, hopefully. This is actually a field he was interested in before and even more so now.”
As Apple has noted, the software update addressing the bug hasn’t been released yet; however, the goal is for it to roll out this week. The issue has been fixed within Apple’s servers, though. In the meantime, you can always manually disable FaceTime; find out how to do that here.