Severe vulnerability in Apple FaceTime found by Fortnite player

The teen’s mother attempted to contact Apple with no success.

Before the so-called Apple "Facepalm" bug hit the headlines, the mother of a 14-year-old boy from Arizona had been trying to warn the tech giant about the vulnerability for over a week.

A FaceTime call made on 19 January by Michele Thompson's son, as reported by sister site CNET, began the chain of events. The teenager added a friend to the group conversation and despite the fact that the friend had not yet picked up the phone, he was able to listen in to conversations taking place in the iPhone's environment.

Grant Thompson replicated the security flaw a number of times before reporting the vulnerability to his mother -- who tried in vain to contact the iPhone and iPad maker.

Michele first took to Twitter, warning that the "major security flaw" in Apple's new iOS allowed her son to "listen in to your iPhone/iPad without your approval." The Verge reports that the vulnerability can also be used to view live video feeds if the recipient hits right-side buttons or the volume tab to ignore an incoming call.

See also: What's driving Apple's huge Services business?

screenshot-2019-01-30-at-08-23-31.png

screenshot-2019-01-30-at-07-52-29.png

In addition, the lawyer sent Facebook messages, emails to Apple directly, called the firm's support line and even sent tweets to Apple CEO Tim Cook.

Having failed to capture Apple's interest, Thompson then sent a fax concerning the security flaw emblazoned with her company's letterhead.

Still, nothing, and so a YouTube video demonstrating how the bug could be exploited was then uploaded and sent to Apple.

"I tried my best to report it to them, and they didn't listen," Thompson said, according to CNET.

In Apple's defense, the tech giant must receive countless fake and invalid bug reports, and so separating true and legitimate causes for concern from the general noise must be a constant battle.

TechRepublic: Top 5 ways people are okay sharing data

An Apple representative eventually asked the 14-year-old's mother to submit the report through developer channels. Thompson compiled on Friday but heard no more concerning the FaceTime flaw.

The vulnerability became widely known on Monday, which also ironically happened to be 2019's Data Privacy Day. Hours before reports of the vulnerability went viral, Cook tweeted, "let us all insist on action and reform for vital privacy protections."

Apple's bug bounty program offers hundreds of thousands of dollars for valid, critical security bugs impacting its ecosystem. The same vulnerabilities can reach millions of dollars if sold to private exploit traders.

One such trader is Zerodium, which will pay bug bounty hunters up to $2 million for remote iOS jailbreaks, for example. Selling to these kinds of traders, however, requires that reports are kept private and not disclosed to the vendor it affects -- and these bugs may end up in the hands of government entities, law enforcement, or corporations, which leaves your average user at risk of exploit. 

TechRepublic: Top 5 ways people are okay sharing data

Apple has now taken the security flaw seriously and intends to release a software update this week to resolve the bug. 

In the meantime, the company has disabled the group chat functionality of FaceTime, which was introduced in iOS 12.1. While users can still make calls to individual users via FaceTime, the decision to disable the Group FaceTime feature server-side will prevent threat actors from exploiting the bug until a patch is released.

In related news, on Tuesday, Apple published its Q1 2019 financial results. The Cupertino, Calif.-based company reported non-GAAP earnings of $4.18 per share on revenue of $84.3 billion, a decline of five percent year-over-year.

However, the first quarter results did meet market expectations of earnings of $4.17 per share on revenue of $84 billion.

ZDNet has reached out to Apple and will update if we hear back. 

Previous and related coverage