Before the world learned about Apple’s FaceTime bug, a 14-year-old boy in Arizona first discovered it, while playing a game of Fortnite with his friends.
On Jan. 19, Michele Thompson’s son started a group FaceTime call with his friends to talk while playing the online game. He added a friend, and was able to listen to conversations even though his friend didn’t answer the call yet.
He first reported the bug to his mother, a lawyer in Arizona, who spent the last week trying to warn Apple about its FaceTime security flaw before the bug became widely known.
Apple users were vulnerable to a major bug that allowed people to listen in on FaceTime calls before the recipient answered the call.
The bug worked by adding your own number to a Group FaceTime call, which then allowed you to hear audio from the original recipient’s phone, even if that person did not accept the call. This essentially turned any device with Group FaceTime — include iPhones, iPads and Macs — into a listening device.
The bug first became public knowledge on Monday, prompting Apple to temporarily disable the Group FaceTime feature.
The company first introduced the feature with iOS 12.1 in late October. Apple said it would be releasing a patch for the flaw this week.
After stumbling into the FaceTime flaw, the teen repeated it multiple times to make sure the bug was for real, and then he showed it to his mother. Thompson said she was skeptical at first, but knew it was real after replicating it several times on her own.
After that, she tried contacting Apple to warn the company about the issue.
That included multiple tweets, Facebook messages, emails to Apple and calls to the support line over the last week, Thompson said. She also sent the company’s general counsel a fax about the bug, with her law firm’s letterhead on top on Jan. 22.
She also uploaded a video on YouTube demonstrating the flaw on January 25, which she sent to Apple multiple times.
“I tried my best to report it to them, and they didn’t listen,” Thompson said.
The company did not respond to a request for comment.
At one point, she said she even tweeted at Apple’s CEO Tim Cook, warning that this would go public soon if Apple did not respond quickly. She said she felt bad about the tweet, and deleted it shortly after.
She found the process of reporting the bug to Apple “exhausting and exasperating,” even as an attorney who is experienced in filing legal documents on a daily basis.
An Apple representative told her over the phone that she would need to register as a developer to report the bug to the company. Apple has its own bug bounty program, but Thompson found many obstacles to report the major security flaw.
Often times it is difficult for the general public to report security bugs, Marten Mickos, CEO of bug bounty platform HackerOne, said. But it’s slowly been shifting, he said.
“The noise of the crowd is absolutely worth it when you actually WILL find the needle in the haystack,” Mickos said in a statement.
Thompson registered as a developer and reported the bug, and heard back from Apple on Jan. 23, but did not get any indication that the flaw was going to be fixed.
“It’s extremely difficult for a citizen to report this and then get it noticed,” Thompson said. “I’m sure they get a lot of fake reports, but it’s frustrating because there is no clear way to report this issue.”