Until a bug in iOS 12.1 or later is fixed, an exploit allows a FaceTime Video caller to hear the audio, and potentially see video, from the recipient's iPhone without the call even being picked up.
First spotted on social media, the procedure to induce the bug is fairly simple. The caller starts a FaceTime video call with a contact, then while the call is "ringing," they add themselves to the call as a third party by tapping Add Person and entering their own phone number.
If properly executed, a Group FaceTime call is started and the original recipient's audio begins to stream before the call is accepted.
While AppleInsider has duplicated the bug on an iPhone X, iPhone XR, iPhone XS Max, it does not seem to cross over to a Mac accepting a call from an iPhone with Handoff. That said, the recipient iPhone's audio is still sent to the caller. The audio is not bi-directional, and streams from the recipient to the caller only.
Obviously, this does not allow anybody to listen in on any other iPhone surreptitiously, as the call still has to be made in the first place. The recipient's phone will indicate that there is an incoming FaceTime call. Some users, like The Verge's Dieter Bohn, have seen camera access enabled when interacting with an iPhone's power button to dismiss a call, though AppleInsider was unable to confirm.
Until Apple specifically addresses the issue, the safest course is to assume that any incoming FaceTime call is being listened in on by the caller.
Those concerned can disable FaceTime by navigating to Settings > FaceTime and toggling the FaceTime button to the off position.
AppleInsider has reached out to Apple about the issue.
Update: Apple in a statement to BuzzFeed confirmed it is aware of the issue and has "identified a fix that will be released in a software update later this week."