A teenage bug bounty
By Tom Warren
First Published on February 7, 2019
Apple released iOS 12.1.4 today to fix a major security flaw in FaceTime that allowed people to eavesdrop on iPhone users. The bug was originally reported to Apple by Michele Thompson after her 14-year-old son, Grant, discovered that you could add yourself to a Group FaceTime call and force recipients to answer immediately. Apple was initially slow to respond, but the company has now credited the discovery to Grant Thompson of Catalina Foothills High School.
Apple also tells The Verge that it’s compensating the Thompson family for discovering the vulnerability, and providing an additional gift to fund Grant Thompson’s tuition. Apple hasn’t revealed exactly how much it’s paying the Thompson family.
Apple’s history with bug bounty rewards is mixed. The company originally started paying iOS bounties three years ago, but researchers have been reluctant to help Apple with its security. Apple offers up to $200,000 to security researchers who discover vulnerabilities and report them, but the bugs are often more valuable to sell elsewhere than to report. Earlier this week, a security researcher detailed a macOS flaw, but refused to submit it to Apple until the company pays researchers for Mac security flaws. Apple currently only offers compensation for iOS bugs, not macOS ones.
Alongside the compensation, Apple has also revealed that the company has fixed another FaceTime-related security flaw in the latest iOS 12.1.4 update. “In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security,” says an Apple spokesperson in a statement to The Verge. “This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime. To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS.”