Earlier last week, researchers uncovered a critical bug in Apple iOS devices that could allow FaceTime users to access the microphone and front camera of whoever they are calling, even if the call recipient does not answer the call.
The bug allowed callers to initiate Group FaceTime call and activate the microphone of the call recipient and listen to what's happening in the room, without the recipient’s knowledge. Furthermore, if the recipient presses the power button to mute the FaceTime call, the bug enabled the front camera.
Security update released
Apple stated that they were aware of this issue and are working on the fix which will be released in a security update. Additionally, while working on a fix, Apple disabled the Group FaceTime feature.
As promised, on February 7, 2019, Apple released the security update (iOS 12.1.4) that fixes the Group FaceTime bug in iPhone which allowed callers to listen and watch the recipients. In the release notes, Apple described that the bug was caused by the logic issue in the handling of Group FaceTime calls.
“A logic issue existed in the handling of Group FaceTime calls. The issue was addressed with improved state management,” the release notes read.
Apple has also released macOS Mojave 10.14.3 Supplemental Update to fix the Group FaceTime bug.
Apple recognizes the 14-year-old teenager
Apple has also recognized Grant Thompson, the 14-year-old teenager who originally discovered the Group FaceTime bug by giving him credit by mentioning him in the release notes of the security update.
“CVE-2019-6223: Grant Thompson of Catalina Foothills High School, Daven Morris of Arlington, TX.”
Thompson, who discovered the Group FaceTime bug, made several attempts to report it to Apple. Unfortunately, Apple never responded to Thompson’s attempts and only learned of the bug when videos of the bug became viral on social media.
It is to be noted that many people have been requesting Apple to issue Thompson a bug bounty reward. However, Apple has not stated if they are planning on doing so.