Updated You might want to disable FaceTime on your iPhone, iPad, or Mac until Apple patches this bonkers bug.
Folks have confirmed it is possible to call someone via FaceTime, and secretly listen in on their iThing or Mac's microphone before they accept or reject a call. It's a handy, creepy way to find out what someone's up to before they answer. We're told iOS 12.1 and 12.2, and macOS Mojave are vulnerable at least.
There's no indication, on screen or otherwise, that this eavesdropping is happening to your victim. It's even possible to snoop on the video camera.
Here's the steps to reproduce the security blunder: on an iPhone, video call a contact using FaceTime on a vulnerable device, and while connecting, swipe up and add a person to the call. Then add your number, and your group call will secretly pipe in the other person's microphone audio, even if they haven't responded yet.
Incredibly, if the callee hits the power button, the front-facing camera feed is also secretly shown to the caller, though the callee can now hear your audio. Here's a video doing the rounds demonstrating the hack:
Apple reckons it'll push out a software fix for this privacy gaffe later this week. Instructions on disabling FaceTime in the meantime are here. ®
Updated to add
Ahead of issuing a software fix, Apple killed Facetime Group calls from the server side to stop people exploiting this hole. Also, it appears Apple was told about the flaw at least as early as January 20.