Apple has filed a lawsuit against OpenAI, alleging that a former employee exploited a rare, previously unknown authentication bug to access and download confidential files after leaving the tech giant for a position at OpenAI. According to the complaint, the individual, identified as Chang Liu, a former system electrical engineer, allegedly accessed Apple's internal network using the vulnerability, which Apple described as a zero-day flaw, meaning it had not been publicly disclosed or patched prior to exploitation. The incident reportedly occurred weeks after Liu left Apple for a role at OpenAI. During this period, he allegedly downloaded dozens of confidential hardware-related files, including detailed information about unreleased products, engineering presentations, technical specifications, and proprietary project data. Apple claims Liu retained access to its internal systems through the unpatched vulnerability, which allowed him to continue accessing Apple's network even after his departure. According to the complaint, Liu did not report the bug to Apple as required under his employment agreement. He also failed to return his Apple-issued work laptop, which had been used to access Apple's internal systems. Apple stated that Liu allegedly claimed to have another computer, though it is unclear whether this assertion holds true. Additionally, Liu is accused of misusing the access of an acquaintance, Yu-Ting Peng, a former Apple employee who later joined OpenAI. While Peng was still employed at Apple, Liu allegedly used her issued work laptop to gain access to Apple's internal systems. Apple alleges that Liu attempted to access its network storage, a cloud-based file repository containing confidential engineering files, project documentation, and other proprietary information, during February 2026. This access was possible due to the authentication vulnerability, which allowed Liu to bypass standard security protocols. Although Apple did not specify the exact nature of the bug, authentication vulnerabilities typically involve weaknesses in login mechanisms or misconfigurations that permit unauthorized access. Apple has since addressed the issue by fixing the bug and terminating the former employee's access to its systems. The company emphasized that the vulnerability was rare and previously unknown, indicating that only a limited number of individuals might have been affected. Server logs reviewed by Apple suggest that only Liu exploited the bug to steal confidential information after leaving the company. The case underscores broader concerns regarding the protection of sensitive corporate data following an employee's departure. Organizations often struggle to ensure complete decommissioning of former employees' access, which can lead to potential security risks, data breaches, or malicious activities by disgruntled staff. Apple's response included immediate action to rectify the situation, highlighting the importance of robust security measures and timely updates to prevent similar incidents. Apple has not yet responded to inquiries about the specific details of the authentication bug, how it was exploited, or when the company decommissioned the former employee's credentials. The ongoing legal proceedings against OpenAI are expected to provide more clarity on the extent of the alleged data theft and the implications for both companies involved.
★
Ohranimo novice poštene.
ObjectiveNews financirajo bralci in je brez oglasov – pristranskost vam pokažemo, ne skrijemo. Podprite neodvisno novinarstvo za 5 €/mesec.
Postani podpornik