14-year-old’s FaceTime bug discovery could rattle Apple

14-year-old’s FaceTime bug discovery could rattle Apple

‘I’m only 14 and I found it by accident, instead of the people at Apple that get paid to find glitches’

At the heart of Apple’s shocking FaceTime bug, which allowed just about anyone to turn an iPhone into a live microphone, stands a 14-year-old boy who stumbled upon the eavesdropping flaw more than a week before Apple took action.

“The thing that surprised me the most was that this glitch happened in the first place,” said Grant Thompson, a high school freshman in Tucson, Arizona. “I’m only 14 and I found it by accident, instead of the people at Apple that get paid to find glitches.”

Not only that, but Grant and his mom said they spent a week unsuccessfully trying to get Apple to do something about the bug in its FaceTime group-chatting feature.

“It took nine days for us to get a response,” he said. “My mom contacted them almost every single day through email, calling, faxing.” Of the fax, he jokes, “I’m not even sure what that is. It’s probably older than I am.”

This eavesdropping scare is over now that Apple has disabled group chats, but the problem could dog the company for much longer. New York state officials have opened a consumer rights investigation. Others are raising questions about how long it took Apple to address the bug.

In a statement Friday, Apple thanked the Thompsons as it announced that it has identified a fix and will release it next week. FaceTime group chatting will resume then.

Grant, a straight-A student who plays basketball, does community volunteering and enjoys the video game “Fortnite,” was calling friends to play the game on a Saturday night, Jan. 19, when he discovered the flaw.

“If a 14-year-old kid discovered it, I wonder how many other people discovered it,” said Chris Wysopal, chief technology officer with the security firm Veracode.

Apple hasn’t said whether it has records that could answer that question.

Friday’s statement said Apple’s engineers worked quickly once it got the details needed to reproduce the bug. Although Apple didn’t acknowledge a delay, the company said it was “committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible.”

The company — at first widely praised for its swift response — could come under increased scrutiny as regulators seek to learn more about the vulnerability.

VIDEO: Apple to fix FaceTime bug that allowed eavesdropping

New York Attorney General Letitia James and Gov. Andrew Cuomo said Wednesday that they’re investigating “Apple’s failure to warn consumers about the FaceTime bug and slow response to addressing the issue.”

They said the bug jeopardized the privacy of New York consumers by allowing callers to activate another person’s microphone remotely even before the person has accepted or rejected the call. James said her office’s review will include a “thorough investigation into Apple’s response.”

Last October, Apple introduced the 32-person video conferencing feature for iPhones, iPads and Macs. With the bug, a FaceTime group-chat user calling another Apple device could hear audio — even if the receiver didn’t accept the call. The bug was triggered when callers turn a regular FaceTime call into a group chat, making FaceTime think the receiver had accepted the chat.

In Grant’s case, he had just gotten his Xbox ready and called to invite a friend, Nathan, to play “Fortnite” with him online.

“You can swipe up and add another person, so I added another friend of mine, Diego, to see if he also wanted to play,” he said. “But as soon as I added Diego, it forced Nathan to respond.”

They were shocked at first, then tried to repeat the bug and it happened every time, he said. His mother, Michele Thompson, said she started trying to reach Apple the next day.

“They could have tested it within two minutes, realized it was true and brought it up the chain at Apple,” said Thompson, who works as an attorney. “There needs to be a better process for the average citizen to report things like this. And a timelier response.”

She eventually reached someone who advised that she could register as a software developer to submit the bug. Such reports can sometimes lead to “bug bounties” so that those who discover a flaw can get a financial reward. The family hoped Grant could receive such an award, or at least some credit, for his discovery.

“Every day he would ask me, ‘Did we hear from Apple yet?’ she said.

The family tried reaching Apple through multiple channels. They left comments on Twitter, one of them directed to CEO Tim Cook, and uploaded a video to walk Apple engineers through the problem. But it wasn’t until a tech blog reported the flaw earlier this week — leading many people to experiment with the spying bug themselves — that Apple took the unusual measure of temporarily shutting down the group-chat feature.

Apple has declined to say when it learned about the problem. The company also wouldn’t say if it has logs that could show if anyone took advantage of the bug before it became publicly known this week. The company reached out to the Thompson family on Tuesday offering to give some public credit for their efforts, according to an email Michele Thompson shared with The Associated Press.

“It would be cool to just have Apple say thanks to me,” Grant Thompson said before Friday’s announcement from Apple. “And of course, the bug bounty, that would be pretty awesome to get, but as long as we got rid of this pretty groundbreaking bug, and Apple said thank you, that would be pretty cool.”

Matt O’Brien, The Associated Press

Like us on Facebook and follow us on Twitter.

Get local stories you won't find anywhere else right to your inbox.
Sign up here

Just Posted

Nanoose Bay author and poet Susan Pederson holds her book, ‘How Many Times Can You Say Goodbye?’, which is encompasses undelivered notes written to her best friend who was dying of cancer at the time. (PQB News file photo)
Nanoose Bay poet discusses hope in latest dance video

Pederson: ‘We all have something that we can do that will keep us going’

Shown is Quality Foods at 319 Island Highway in Parksville. The Island-based grocery chain announced on Jan. 25 it made a $2-per-hour pay premium, implemented during the COVID-19 pandemic, permanent. (Mandy Moraes photo)
COVID-19: Quality Foods makes $2-per-hour employee pay premium permanent

Island-based grocery chain had extended increase twice in 2020

Island Health chief medical officer Dr. Richard Stanwick receives a first dose of Pfizer vaccine, Dec. 22, 2020. (B.C. government)
COVID-19: Vancouver Island in a January spike while B.C. cases decrease

Island’s top doc Dr. Stanwick breaks down the Island’s rising numbers

(Twitter/Ateachersaurus)
The Pachena Bay shoreline in 2013. (Twitter/Ateachersaurus)
This week in history: 9.0 magnitude quake struck under what is now called Vancouver Island

According to First Nations elders, the 9.0-magnitude quake in 1700 CE kick-started a tsunami

(Kraft Dinner/Twitter)
Kraft Dinner launches candy-flavoured mac and cheese just in time for Valentine’s Day

Sweet and cheesy treat will be here just in time for the cheesiest holiday of the year

Extensive water on No. 4 and 5 at the Mount Brenton Golf Course following heavy rains earlier this month. (Photo by Don Bodger)
Island golf course does a booming business in 2020

A total of 15,000 more rounds played than the previous year at Mount Brenton

SAR crews worked late into the night Tuesday to rescue an injured snowboarder in North Vancouver. (Facebook/North Shore Rescue)
Complicated, dangerous rescue saves man in avalanche near Cypress Mountain

North Shore SAR team braves considerable conditions to reach injured snowboarder

A Cessna 170 airplane similar to the one pictured above is reported to be missing off the waters between Victoria and Washington State. Twitter photo/USCG
UPDATE: No sign of small plane that went down in waters south of Vancouver Island

Searchers out on both sides of border between Victoria and Port Angeles

A tip from the public helped Victoria police located and arrest wanted men Jonathon Muzychka and Dean Reber. (Courtesy of Victoria Police Department)
Tips lead police to arrest convicted killer, robber near downtown Victoria

Two men were at large after failing to return to community facility

The Pacific Rim Whale Festival is breaching for a COVID-safe return in March. (Poster photo by Owen Crosby)
Pacific Rim Whale Festival aims for virtual return in March

Educational celebration scheduled to arrive in Tofino-Ucluelet on March 15.

In this undated image made from a video taken by the Duke of Sussex and posted on @SaveChildrenUK by the Duke of Sussex and Meghan, Duchess of Sussex, shows the Duchess of Sussex reading the book “Duck! Rabbit!” to their son Archie who celebrates his first birthday on Wednesday May 6, 2020. The Canadian Paediatric Society is reminding families that the process of raising a reader starts from birth. (Duke of Sussex/@SaveChildrenUK)
Canadian Paediatric Society says raising a reader starts from birth

CPS says literacy is one of the strongest predictors of lifelong health outcomes

Employment, Workforce Development and Disability Inclusion Minister Carla Qualtrough responds to a question during a news conference Thursday August 20, 2020 in Ottawa. THE CANADIAN PRESS/Adrian Wyld
Easing rules for parental benefits created inequities among parents, documents say

Employment Minister Carla Qualtrough’s office says the government will make any necessary changes

Most Read