Apple might pay teenager who found Group FaceTime surveillance bug

Posted:
in iPhone edited February 2019
An Apple executive has reportedly suggested that the 14-year-old who discovered the Group FaceTime surveillance exploit would be rewarded by the company's bug bounty program.

Left, Michelle Thompson; Right Grant Thompson
Left, Michelle Thompson; Right Grant Thompson


One week after social media picked up on a FaceTime exploit that allowed callers to eavesdrop on a recipient before the call is picked up, the original discoverer has been visited by an unnamed Apple executive.

"They also indicated that Grant would be eligible for the bug bounty program. And we would hear from their security team the following week in terms of what that meant," said discoverer Grant Thompson's mother Michele Thompson. "If he got some kind of bug bounty for what he found we'd certainly put it to good use for his college because I think he's going to go far, hopefully. This is actually a field he was interested in before and even more so now."

In an interview with CNBC's Squawk Box Grant said that he isn't fazed by the process, and will still continue to use Apple's products, saying that "every now and then something like this just falls through the cracks and can be found."

Michele Thompson declined to identify the Apple executive in question.

The exploit was relatively simple to induce. The caller starts a FaceTime video call with a contact, then while the call is "ringing," they add themselves to the call as a third party by tapping Add Person and entering their own phone number. If properly executed, a Group FaceTime call is started and the original recipient's audio begins to stream before the call is accepted.

After the bug picked up some traction on social media, Apple disabled Group FaceTime, preventing the execution of the flaw. Apple has since apologized for the bug, and a patch is expected shortly.

It was claimed on Tuesday that Apple was informed about the privacy bug a week prior, with posts on Twitter seemingly confirming the timeframe. It is unknown if the bug was reported through Apple's official bug reporting mechanism or was performed by other means.

The later postings on Twitter about the prior alert to the company were called into question, due to a number of elements on the account making it seem dubious. A timestamp on one screenshot showed the use of GMT rather than Mountain Time or another appropriate timezone, while posts prior to January 1 were eradicated, among other issues that made the social media testimony seem dubious at the time.

Apple's bug bounty program was announced in 2016, offering thousands of dollars as a reward to people discovering vulnerabilities in its products and services. The bounties range from $25,000 for access from a sandboxed process to user data outside of that sandbox to $200,000, awarded for secure boot firmware component discoveries.

It is unclear where on the scale the FaceTime bug sits on the scale, but it is likely to be on the lower end of the range overall.

The bug bounty program may offer high rewards, but it has previously been criticized for failing to be enough for security researchers to participate, as iOS bugs may gain a higher bounty by being sold to private companies seeking ways to defeat Apple's security. In 2017, it was suggested iOS exploits could be bought for $500,000 from some firms, with one paying upward of $1.5 million for a full set of bugs that can jailbreak an iPhone.

Comments

  • Reply 1 of 7
    carnegiecarnegie Posts: 1,082member
    I would hope that a bug bounty program would only reward people if they, upon discovering a bug that can be used for nefarious purposes, report it to, e.g., Apple and don’t otherwise further awareness of how it works.
  • Reply 2 of 7
    jbdragonjbdragon Posts: 2,312member
    Here I thought if you just found a bug, you report it and that's the end of it. It gets fixed. Now people need to be rewarded for something like this?
  • Reply 3 of 7
    jbdragon said:
    Here I thought if you just found a bug, you report it and that's the end of it. It gets fixed. Now people need to be rewarded for something like this?
    The point of the rewards is to encourage the people who find bugs to inform Apple instead of selling that info on the black market. It's in Apple best interested to get security bugs fixed, that's why they have a program. No need to be angry about other people asking their fair share.
    aaronkalbirelandThrashmanevilutionwatto_cobra
  • Reply 4 of 7
    MplsPMplsP Posts: 4,038member
    I think bug bounty programs are a good idea and if this kid meets the criteria, he should get paid.
    aaronkalbwatto_cobra
  • Reply 5 of 7
    An Apple executive has reportedly suggested that the 14-year-old who discovered the Group FaceTime surveillance exploit would be rewarded by the company's bug bounty program.

    Left, Michelle Thompson; Right Grant Thompson
    Left, Michelle Thompson; Right Grant Thompson


    One week after social media picked up on a FaceTime exploit that allowed callers to eavesdrop on a recipient before the call is picked up, the original discoverer has been visited by an unnamed Apple executive.

    "They also indicated that Grant would be eligible for the bug bounty program. And we would hear from their security team the following week in terms of what that meant," said discoverer Grant Thompson's mother Michele Thompson. "If he got some kind of bug bounty for what he found we'd certainly put it to good use for his college because I think he's going to go far, hopefully. This is actually a field he was interested in before and even more so now."

    In an interview with CNBC's Squawk Box Grant said that he isn't fazed by the process, and will still continue to use Apple's products, saying that "every now and then something like this just falls through the cracks and can be found."

    Michele Thompson declined to identify the Apple executive in question.

    The exploit was relatively simple to induce. The caller starts a FaceTime video call with a contact, then while the call is "ringing," they add themselves to the call as a third party by tapping Add Person and entering their own phone number. If properly executed, a Group FaceTime call is started and the original recipient's audio begins to stream before the call is accepted.

    After the bug picked up some traction on social media, Apple disabled Group FaceTime, preventing the execution of the flaw. Apple has since apologized for the bug, and a patch is expected shortly.

    It was claimed on Tuesday that Apple was informed about the privacy bug a week prior, with posts on Twitter seemingly confirming the timeframe. It is unknown if the bug was reported through Apple's official bug reporting mechanism or was performed by other means.

    The later postings on Twitter about the prior alert to the company were called into question, due to a number of elements on the account making it seem dubious. A timestamp on one screenshot showed the use of GMT rather than Mountain Time or another appropriate timezone, while posts prior to January 1 were eradicated, among other issues that made the social media testimony seem dubious at the time.

    Apple's bug bounty program was announced in 2016, offering thousands of dollars as a reward to people discovering vulnerabilities in its products and services. The bounties range from $25,000 for access from a sandboxed process to user data outside of that sandbox to $200,000, awarded for secure boot firmware component discoveries.

    It is unclear where on the scale the FaceTime bug sits on the scale, but it is likely to be on the lower end of the range overall.

    The bug bounty program may offer high rewards, but it has previously been criticized for failing to be enough for security researchers to participate, as iOS bugs may gain a higher bounty by being sold to private companies seeking ways to defeat Apple's security. In 2017, it was suggested iOS exploits could be bought for $500,000 from some firms, with one paying upward of $1.5 million for a full set of bugs that can jailbreak an iPhone.
    Give rhe guy $200,000 for doin what the tech team screwed up.  Can I report siri’s exquisite ignorance?  I need no bounty.
  • Reply 6 of 7
    jungmarkjungmark Posts: 6,927member
    A post on Twitter or an email to Cook isn't sufficient to contact Apple. How many emails does he get a day? How many mentions does Apple get a day? That being said, the kid earned the bounty. Apple has to come up with a better bug reporting mechanism for common users. Perhaps tie it to the Apple ID. 
    watto_cobra
  • Reply 7 of 7
    irelandireland Posts: 17,799member
    stanhope said:
    An Apple executive has reportedly suggested that the 14-year-old who discovered the Group FaceTime surveillance exploit would be rewarded by the company's bug bounty program.

    Left, Michelle Thompson; Right Grant Thompson
    Left, Michelle Thompson; Right Grant Thompson


    One week after social media picked up on a FaceTime exploit that allowed callers to eavesdrop on a recipient before the call is picked up, the original discoverer has been visited by an unnamed Apple executive.

    "They also indicated that Grant would be eligible for the bug bounty program. And we would hear from their security team the following week in terms of what that meant," said discoverer Grant Thompson's mother Michele Thompson. "If he got some kind of bug bounty for what he found we'd certainly put it to good use for his college because I think he's going to go far, hopefully. This is actually a field he was interested in before and even more so now."

    In an interview with CNBC's Squawk Box Grant said that he isn't fazed by the process, and will still continue to use Apple's products, saying that "every now and then something like this just falls through the cracks and can be found."

    Michele Thompson declined to identify the Apple executive in question.

    The exploit was relatively simple to induce. The caller starts a FaceTime video call with a contact, then while the call is "ringing," they add themselves to the call as a third party by tapping Add Person and entering their own phone number. If properly executed, a Group FaceTime call is started and the original recipient's audio begins to stream before the call is accepted.

    After the bug picked up some traction on social media, Apple disabled Group FaceTime, preventing the execution of the flaw. Apple has since apologized for the bug, and a patch is expected shortly.

    It was claimed on Tuesday that Apple was informed about the privacy bug a week prior, with posts on Twitter seemingly confirming the timeframe. It is unknown if the bug was reported through Apple's official bug reporting mechanism or was performed by other means.

    The later postings on Twitter about the prior alert to the company were called into question, due to a number of elements on the account making it seem dubious. A timestamp on one screenshot showed the use of GMT rather than Mountain Time or another appropriate timezone, while posts prior to January 1 were eradicated, among other issues that made the social media testimony seem dubious at the time.

    Apple's bug bounty program was announced in 2016, offering thousands of dollars as a reward to people discovering vulnerabilities in its products and services. The bounties range from $25,000 for access from a sandboxed process to user data outside of that sandbox to $200,000, awarded for secure boot firmware component discoveries.

    It is unclear where on the scale the FaceTime bug sits on the scale, but it is likely to be on the lower end of the range overall.

    The bug bounty program may offer high rewards, but it has previously been criticized for failing to be enough for security researchers to participate, as iOS bugs may gain a higher bounty by being sold to private companies seeking ways to defeat Apple's security. In 2017, it was suggested iOS exploits could be bought for $500,000 from some firms, with one paying upward of $1.5 million for a full set of bugs that can jailbreak an iPhone.
    Give rhe guy $200,000 for doin what the tech team screwed up.  Can I report siri’s exquisite ignorance?  I need no bounty.
    Sure, for Apple $200,000 is nothing, but let’s pay fairly. It’s a big bug but one that several people were bound to find soon enough, I would imagine. So in that case I can see him getting closer to $25 than $200K.
    watto_cobra
Sign In or Register to comment.