The boy’s mother says she tried warning Apple about the flaw for over a week.

apple-wwdc-2018-1171
Apple Senior VP of Software Engineering Craig Federighi talks up Group FaceTime.

James Martin/CNET

Before the world learned about Apple’s FaceTime bug, a 14-year-old Arizona boy first discovered it, while playing a game of Fortnite with friends.

On Jan. 19, Michele Thompson’s son started a group FaceTime call with his buddies, so they could talk while playing the online game. He added a friend and was able to listen to conversations through the friend’s phone, even though the friend hadn’t yet answered the call.

He first reported the bug to his mother, a lawyer, who says she spent the last week, before the bug became widely known, trying to warn Apple.

Apple users were vulnerable to a major security hole that essentially turned any device with Group FaceTime, including iPhones, iPads and Macs, into a listening device. The bug first became public knowledge on Monday, prompting Apple to temporarily disable the Group FaceTime feature.

The company introduced Group FaceTime in late October with iOS 12.1. Apple said it would be releasing a patch for the security flaw this week.

Once he’d stumbled across the FaceTime vulnerability, the teen repeated the circumstances multiple times to make sure the bug was for real; then he showed his mother. Thompson said she was skeptical at first but became convinced after replicating the flaw herself several times. That’s when she began trying to warn Apple.

Thompson said her efforts included multiple tweets, Facebook messages, emails to Apple and calls to the support line over the last week. On Jan. 22, she also sent the company’s general counsel a fax about the bug, with her law firm’s letterhead on top. And on Jan. 25 she uploaded a video to YouTube, demonstrating the flaw, and sent it to Apple multiple times.

MGT7@MGT7500

One of many emails sent to Apple 1 week ago attempting to report the Group FaceTime bug. @cnbc @cnn @foxnews @9to5mac

43 people are talking about this

“I tried my best to report it to them, and they didn’t listen,” Thompson said.

The company didn’t respond to CNET’s request for comment.

At one point, Thompson said, she even tweeted at Apple CEO Tim Cook, warning that this would go public soon if Apple didn’t respond quickly. She said she felt bad about the tweet, and deleted it shortly after.

Embedded video

alfred 🆖

@alfredwkng

Here is the detailed video that Michele and her son Grant sent to Apple’s Product Security team, explaining the FaceTime bug, which they uploaded on Jan. 25.

We’ve blurred out the phone numbers shown to protect their privacy:

75 people are talking about this

She found the process of reporting the bug to Apple “exhausting and exasperating,” even as an attorney who’s experienced in filing legal documents on a daily basis.

It’s often difficult for the general public to report security bugs, said Marten Mickos, CEO of bug bounty platform HackerOne. But that’s slowly been shifting.

“The noise of the crowd is absolutely worth it when you actually WILL find the needle in the haystack,” Mickos said in a statement.

An Apple representative told Thompson over the phone that she’d need to register as a developer to report the bug to the company (Apple has its own bug bounty program). Thompson did that, eventually hearing back from the company on Jan. 23. But she says she didn’t get any indication that Apple was going to fix the flaw.

“It’s extremely difficult for a citizen to report this and then get it noticed,” Thompson said. “I’m sure they get a lot of fake reports, but it’s frustrating because there is no clear way to report this issue.”

LEAVE A REPLY

Please enter your comment!
Please enter your name here