IE 11 is not supported. For an optimal experience visit our site on another browser.

How a teenage 'Fortnite' player found Apple's FaceTime bug — and why it was so hard to report it

Grant Thompson just wanted to play "Fortnite" and chat with friends. His discovery led Apple to suspend a popular iPhone feature.
Get more newsLiveon

Grant Thompson, a 14-year-old high school student in Tucson, Arizona, just wanted to chat with friends and play some "Fortnite" when he discovered a major bug in Apple's popular FaceTime feature.

On Jan. 19, Thompson called his friend Nathan using FaceTime, but Nathan didn't pick up. So Thompson swiped up and added another friend, a move that instantly connected him with Nathan, whose phone was still ringing.

"We were pretty shocked at first because it was still ringing on his phone," he said in an interview. "After that we tested it for about half an hour to see if it worked every time."

It did. Thompson had discovered a bug that allowed him to force other iPhones to answer a FaceTime call, even if the other person doesn't take any action. Apple has since disabled the "Group FaceTime" feature, and a software update to fix the bug is expected to be released, but not before users expressed widespread shock at the flaw in an Apple device typically known for security.

Thompson brought his discovery to his mother, Michele Thompson, a lawyer. She could hardly believe it herself.

"I was doubtful," she said. "He showed it to me on my iPhone and it worked."

For the next week, Michele Thompson, 43, tried to notify Apple of the flaw through a variety of avenues, many of which were dead ends.

"It was very frustrating getting them to respond," she said. "I get it. I'm sure they get all sorts of kooks that try to report things to them."

Thompson provided emails to NBC News that showed her efforts to contact Apple, including an Apple representative who directed her to the company's "bug reporter" program and bug bounty program. Thompson said she initially withheld the details of what her son had found in hopes of finding the right person at Apple to explain the problem. She also tweeted and tagged the company.

Thompson also tried to alert the media, tweeting what her son had found.

Apple did not respond to requests for comment.

Turning to the bounty program, Thompson said she registered as a developer so that she could bring it to the company's attention. Thompson said that she hoped her son might be able to claim a bounty for the bug but that the process required technical knowledge she didn't have.

Bug bounty programs, in which people are given monetary rewards for finding security flaws, have become popular with companies that hope to find problems before they can be exploited. Apple launched its bug bounty program in August 2016. Payouts can range from $25,000 to $200,000.

The bug comes at an inopportune time for Apple. The company reports quarterly earnings on Tuesday afternoon, financial updates that the company has already warned will come in under analysts' expectations.

Apple has also positioned itself as a champion of privacy in the social media age, with CEO Tim Cook routinely espousing the company's dedication to keeping users safe. Cook's most recent tweet, sent Monday, heralds "#DataPrivacyDay."

With few other options, Thompson, who specializes in medical malpractice defense, sent a letter on her firm's letterhead on Jan. 22 to Apple's general counsel. The letter was headed: "Urgent Security Issue Regarding iOS 12.1.3." There was no response.

With little success in getting the company's attention, Thompson said her son convinced her to reveal the full details of the bug. The family made a video and uploaded it to YouTube (it is unlisted and Thompson asked that it not be made public since it contains their phone numbers) on Jan. 25, walking through the bug. She then sent the company a two-page letter explaining the issue with a link to the video, according to emails she shared with NBC News.

Thompson said she planned to wait a week before sending the video to the press. Then, on Monday, the Apple-centric tech publication 9to5Mac broke the story of the bug. The story was picked up by dozens of news outlets.

"All of a sudden, lo and behold, last night my friend said, 'Hey, I just saw this report on CNBC,'" Thompson said.

Benjamin Mayo, the app developer and blogger who broke the story for 9to5Mac, said that he did see Thompson's tweet after his article was published but that she did not have anything to do with his reporting.

Theresa Payton, CEO of cybersecurity consultancy Fortalice Solutions and a former White House chief information officer, said the Apple flaw shows that while most people have embraced smartphones, they are still devices with cameras and microphones that can violate users' privacy.

Payton noted that companies should be also working to make sure that they are responsive to people who find security flaws.

"I think it would behoove Apple to take a look at their process and figure out what went wrong here," Payton said.

Payton added that she understands the challenges companies can face in terms of the sheer volume of false alarms, but noted that language-processing technologies can help comb through responses to help determine which ones are likely to be legitimate.

"I think again this is another one of those kind of situations where customer service has not been able to keep pace with the hockey stick-like growth that big tech companies and social media companies have experienced," Payton said.

Thompson said she has not heard back from Apple concerning her attempts to alert the company about the bug since it was publicly revealed. She added that she would not have done anything differently.

And she'll still be an iPhone user.

"I love Apple products and will continue to use them," Thompson said. "Obviously I am disappointed and concerned that this happened and hope they address the issue quickly."