In a support document outlining the security content of iOS 12.1.4, Apple credited both 14-year-old Grant Thompson of Catalina Foothills High School in Tucson, Arizona and Daven Morris of Arlington, Texas with reporting a major Group FaceTime bug to the company that allowed users to eavesdrop on others.
Thompson and his mother are widely known for being the first people to discover and report the bug to Apple, over a week before it made headlines on January 28, but nothing was known about Morris until now.
The Wall Street Journal today shared a few details about Morris, noting he is a 27-year-old software engineer who reported the bug to Apple on January 27, several days after the Thompsons but one day before it made headlines. He apparently discovered the bug a week earlier while planning a group trip with friends.
Apple on Thursday said it will compensate the Thompson family for finding and reporting the bug and make an additional gift toward Grant Thompson's education. Apple hasn't disclosed the exact sums of the donations. It's unclear if Morris will also be compensated by the company for reporting the bug.
In a statement issued to MacRumors, Apple apologized for the bug a second time and assured customers that it has been fixed in iOS 12.1.4, as has a previously unreported vulnerability in the Live Photos feature of FaceTime:
Today's software update fixes the security bug in Group FaceTime. We again apologize to our customers and we thank them for their patience. In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security. This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime. To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS.
Apple has reenabled its Group FaceTime servers, but the feature will remain permanently disabled on iOS 12.1 through iOS 12.1.3.
Widely publicized last month, the FaceTime bug allowed one person to call another person via FaceTime, slide up on the interface and enter their own phone number, and automatically gain access to audio from the other person's device without that person accepting the call. In some cases, even video was accessible.
We demonstrated the bug in a video at the time:
Apple already faces a lawsuit in Texas, a proposed class action lawsuit in Canada, questions from a U.S. Congress committee, and an investigation by New York officials over the bug and its serious privacy implications.
