What Causes the Bug?
It isn’t readily clear what the exact bug is, but it appears to be tied to the way that Group FaceTime handles multi-user calls.
The vulnerability is accessed when a caller FaceTimes another user but adds their own phone number as a “third” party to a Group FaceTime call. Group FaceTime appears to automatically connect the caller to themselves and the original recipient.
The bug also appeared to be device agnostic, since it has been demonstrated on a variety of iOS and macOS devices running the latest software. Because of that, it’s likely a flaw within the Group FaceTime feature itself.