What's the Latest on Apple's Catastrophic FaceTime Bug?

By Rhett Jones on at

As Apple developers scramble to fix a disturbing bug in FaceTime that allowed users to eavesdrop on the people they call with the Group FaceTime function, we’ve learned the company was allegedly notified about the issue before it was widely known, repeatedly. At least one lawsuit has already been filed against the tech giant. And so far, Apple isn’t really saying much about the ordeal.

On Monday evening, news spread that a flaw in Apple’s FaceTime video chat app made it possible to call someone and listen through their iPhone’s microphone while the call was ringing. If the caller hit the power or volume button while the call was ringing, they could see video from the camera on the recipient’s phone. It’s not the most useful hack if you’re looking to spy on someone, but it’s still ripe for abuse. Now, at least one person has filed a lawsuit against Apple claiming they were victimised by the security hole.

Bloomberg first reported that US-based attorney Larry Williams II filed suit against Apple on Monday claiming negligence, misrepresentation, and fraudulent concealment, among other things. Throughout the court document, Williams claims that Apple failed to notify users of the risk of harm in using FaceTime and that the app’s security flaw caused him professional harm. The lawsuit is light on details regarding the specific harm Williams incurred. It only states that the “Plaintiff was undergoing a private deposition with a client when the defective product breach allowed for the recording of a private deposition.” Williams did not immediately respond to a request for comment sent by Gizmodo.

On Tuesday, NBC News reported that a woman named Michele Thompson became aware of the FaceTime bug when her 14-year-old son accidentally stumbled on it while trying to arrange a match in the popular video game Fortnite with some friends. The boy demonstrated the eavesdropping technique to his mother on 19 January and she proceeded to reach out to Apple about it but couldn’t get a response, she told NBC. She reportedly sent several emails to Apple support and at one point was directed to the company’s bug bounty program. She then registered as a developer and reported the bug through that portal as well, but she says she was still met with silence. Thompson is an attorney who specialises in medical malpractice defence and tried sending a letter on her firm’s letterhead to Apple’s general counsel on 22 January. Two days earlier, she even tweeted about it without providing sensitive details and tagged Apple along with Fox News.

After 9to5Mac reported on the bug, the cat was out of the bag. Apple acknowledged the issue and said it would have a fix later this week. In the meantime, it disabled Group FaceTime on the server side. And that’s been its last word on the issue. During its highly-anticipated earnings call on Tuesday afternoon, the problem wasn’t mentioned by CEO Tim Cook or any other executives. Tim Cook’s last tweet came on Monday, just before the flaw was reported. It reads: “On this #DataPrivacyDay let us all insist on action and reform for vital privacy protections. The dangers are real and the consequences are too important.”

We’ve reached out to Apple for comment on this story as well as to ask if it intends to reward Thompson with a bug bounty for reporting the security flaw. We also asked if Apple has a way of identifying if users were the victim of this eavesdropping technique and if so, whether Apple intends to notify those users.

We’ve seen in the past that within the limited information that Apple collects on user activity, it has stored the identity of FaceTime callers and the times the calls took place. We’ll update this post if and when we receive a response from Apple.

In addition to the potential repercussions that Apple could face in court, we’re sure any lawmaker who has recently used FaceTime might have an interest in this situation. [Harris County District Court, Bloomberg, NBC News]

Featured image: Getty