In late January, Daven Morris dialed into a FaceTime call, Apple’s software that allows users to make video calls, to plan a trip with friends.
But something was wrong.
Morris, 27, could hear his friends who had not yet answered the call. FaceTime had turned on his friend’s microphone without his knowledge or permission and was streaming the audio to Morris.
Morris was blown away — he could listen into his friend’s conversation, and the friend had no idea.
At first, the Arlington software developer messed around a bit, trying the same process repeatedly and always getting the same results — he could eavesdrop on someone’s conversation without their knowledge.
“I realized this was kind of serious,” Morris said.
As a software developer, Morris recognized the implications of the bug.
“Say for instance a top level executive or the president has an iPhone, somebody could FaceTime him and listen to critical information they shouldn’t hear. It’s a major security flaw,” he said.
Morris alerted Apple security to the flaw and made an official report on Jan. 27 describing the bug in detail.
When Apple acknowledged the flaw on Jan. 28, concern about privacy and the tech giant’s ability to spy on users grew. The bug allowed users dialing into a group chat to hear audio, and sometimes full video, from people who had not yet answered the video call.
Last week, Apple apologized for the glitch. On Thursday, the company rolled out software updates to iPhones designed to fix the issue.
Apple credited Morris as one of two people who discovered and reported the bug to the company in its security report on the flaw.
Most national headlines about the flaw focused on the 14-year-old who also discovered it. Grant Thompson of Tuscon, Arizona, and his mother, Michele, alerted Apple to the bug after Grant discovered it while in a group FaceTime with friends Jan. 19.
Apple said it compensated the Thompson family as well as made a gift toward Grant’s education.
Grant’s discovery was more than a week before the bug made headlines Jan. 28.
While Morris said Grant’s mom talked to Apple via Twitter, he said he was the first one to make an official report of the glitch.
Morris said he has not been compensated by Apple, but was told they were working on it.
The bug appeared to rely on FaceTime’s group call feature, which launched last year, not two-way video call. When another person is added to the group, audio and video can be heard before they accept the call.
The update launched Thursday should fix the bug, Apple said.
“We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix,” the company’s statement read.
The flaw was so concerning to New York Gov. Andrew Cuomo and Attorney General Letitia James, they said New York would launch an investigation in to Apple.
Two high-ranking U.S. representatives, New Jersey’s Frank Pallone Jr. and Jan Schakowsky of Illinois, sent Apple CEO Tim Cook a letter seeking answers about the bug, saying they were “deeply troubled” over the time it took Apple to address the matter.
The FaceTime bug comes at a time of increased scrutiny about online privacy.
In late September, Facebook announced an attack on its network exposed 50 million users’ personal information. A cyber attack on the Marriott hotel chain collected customer information for roughly 500 million guests and was linked to Chinese intelligence-gathering that also hacked health insurers and security clearance files for millions more Americans, the New York Times reported.