Even more disconcerting is the fact that a brief glimpse of video could also be transmitted from the receiver’s phone if they hit the power button to end the call. Both of these instances are serious lapses in iOS security and are a black mark on a company that prides itself on user privacy. However, Twitter user MGT7500 says that she initially contacted Apple about the FaceTime bug over a week ago.
My teen found a major security flaw in Apple’s new iOS. He can listen in to your iPhone/iPad without your approval. I have video. Submitted bug report to @AppleSupport...waiting to hear back to provide details. Scary stuff! #apple #bugreport @foxnews— MGT7 (@MGT7500) January 21, 2019
The Twitter user claims that her 14-year-old son stumbled upon the FaceTime bug, saying “He can listen in to our iPhone/iPad without your approval.” She went on to add that she had video evidence, which she submitted via bug report. Not only that, she says that she called, faxed, and emailed Apple about the issue. She even reached out via Facebook Messenger to no avail.
In a January 22nd email to Apple Support (and via her tweet), MGT7500 makes it clear she was also seeking to find out if Apple’s Bug Bounty program would apply in this situation, with the proceeds going to her son. In that same email, we can see that Devin from Apple Product Security did respond, but we cannot see what he told her. In a subsequent tweet, MGT7500 explains what she was told:
After several emails w/ Apple, they told me I could register as a developer to submit the bug report which I did (even though I’m the farthest thing from a developer). Also emailed it directly to product-security@apple with full details.— MGT7 (@MGT7500) January 29, 2019
MGT7500 kept quiet about the specific details of the discovery – at least via Twitter – until the news broke last night when she went on a tweetstorm asking that her son get credit for the discovery.
Since the FaceTime bug went global, Apple has temporarily disabled Group FaceTime, which should prevent anyone from exploiting this loophole. The only comment that Apple has made about the discovery is that it has “identified a fix that will be released in a software update later this week."