Confirming a suggestion floated by an Apple executive on Monday, Apple is going to be paying the family of Grant Thompson, the teenager who initially discovered and reported the bug to Apple. Thompson’s mother Michelle attempted to warn Apple about the exploit a week before it become major news, with tweets prompting Apple to acknowledge the issue and the discovery, and to temporarily disable the function.
It is unclear exactly how much Apple is providing Thompson, but Reuters reports Apple would “compensate” the family and make an additional gift towards Grant’s education. If the compensation element is part of the company’s Bug Bounty program, the amount could be anywhere between $25,000 and $200,000, though it is likely to be on the lower end of the scale.
The release notes for iOS 12.1.4 also includes an acknowledgement of the discovery, crediting Grant alongside another individual identified as Draven Morris.
The exploit was relatively simple to induce. The caller starts a FaceTime video call with a contact, then while the call is “ringing,” they add themselves to the call as a third party by tapping Add Person and entering their own phone number. If properly executed, a Group FaceTime call is started and the original recipient’s audio begins to stream before the call is accepted.
Today’s iOS 12.1.4 update, as well as a supplemental update for macOS Mojave, fixes the security hole on iPhones, iPads, and Mac. Apple has already taken steps to fix the issue on its servers.