Apple says former employee exploited ‘rare’ bug to download confidential files after leaving for OpenAI
Apple says former employee exploited ‘rare’ bug to download confidential files after leaving for OpenAI
苹果称前员工在跳槽 OpenAI 后利用“罕见”漏洞下载机密文件
On Friday, Apple dropped the bombshell news it was suing OpenAI over the alleged theft of trade secrets, claiming that OpenAI stole Apple’s confidential data and engaged in efforts to learn proprietary information while recruiting former Apple employees. 周五,苹果公司抛出重磅消息,宣布起诉 OpenAI 涉嫌窃取商业机密。苹果声称,OpenAI 在招募前苹果员工的过程中,窃取了苹果的机密数据并试图获取其专有信息。
In accusing OpenAI of stealing secrets about Apple’s unreleased products, Apple revealed that a former employee allegedly siphoned reams of sensitive files from the company’s shared network folders, weeks after leaving Apple for a job at OpenAI. 在指控 OpenAI 窃取有关苹果未发布产品机密的同时,苹果披露了一名前员工在离职加入 OpenAI 数周后,涉嫌从公司共享网络文件夹中窃取了大量敏感文件。
In its complaint, Apple says the former employee, a system electrical engineer named Chang Liu, allegedly “exploited a rare, previously unknown authentication bug” that allowed access to the company’s network. The bug is classified as a zero-day vulnerability, meaning that Apple had no time to fix it before it was allegedly exploited. 在诉状中,苹果表示这名前员工是一名名为 Chang Liu 的系统电气工程师,他涉嫌“利用了一个罕见的、此前未知的身份验证漏洞”来访问公司网络。该漏洞被归类为零日漏洞,意味着苹果在漏洞被利用前根本没有时间进行修复。
Apple has since fixed the bug and said it terminated the employee’s access once it learned of this “security breach.” In its complaint, Apple said the bug could have allowed a “few other” people to access data on its network, but alleged that only Liu exploited the bug to steal Apple’s confidential information while no longer an employee, citing a check of its server logs. 苹果此后已修复了该漏洞,并表示在获悉此次“安全漏洞”后,已终止了该员工的访问权限。苹果在诉状中称,该漏洞可能允许“少数其他”人访问其网络数据,但根据服务器日志检查结果,苹果指控只有 Liu 在离职后利用该漏洞窃取了苹果的机密信息。
The disclosure, while light in detail, highlights the challenges that organizations face with protecting sensitive corporate data after employees no longer work there. Companies often move to immediately cut off departing staff from further access to protect any sensitive information from leaving, including inadvertently. 尽管披露的细节不多,但这凸显了企业在员工离职后保护敏感数据所面临的挑战。为了防止敏感信息(包括无意泄露)外流,公司通常会采取行动,立即切断离职员工的访问权限。
Companies that fail to fully decommission their employees’ accounts can face future security lapses, data breaches, or malicious actions by disgruntled staff. Apple spokespeople did not respond to an email from TechCrunch with questions about the security vulnerability, how it was exploited, and when the company decommissioned the employee’s credentials. 未能完全注销离职员工账户的公司,可能会面临未来的安全漏洞、数据泄露或心怀不满的员工所采取的恶意行为。苹果发言人未回复 TechCrunch 发出的电子邮件,该邮件询问了有关安全漏洞、漏洞如何被利用以及公司何时注销该员工凭证的问题。
“LOL… so funny.” In the complaint, Apple alleged that Liu took “dozens of Apple’s confidential hardware-related files” over the course of several weeks while as a new OpenAI employee. Apple said the files contained “detailed information about unreleased products, engineering presentations, technical specifications, and proprietary project data.” “哈哈……真好笑。”在诉状中,苹果指控 Liu 在入职 OpenAI 的几周内,窃取了“数十份苹果机密硬件相关文件”。苹果表示,这些文件包含“有关未发布产品的详细信息、工程演示文稿、技术规格和专有项目数据”。
The company claims Liu failed to return the Apple-issued work laptop he had previously used to access Apple’s network, suggesting it was once able to send and receive files from Apple’s internal systems. The complaint said that Liu allegedly claimed to have “another computer.” 苹果公司声称,Liu 未能归还他此前用于访问苹果网络的工作笔记本电脑,这表明该设备曾能够从苹果内部系统发送和接收文件。诉状称,Liu 曾声称自己有“另一台电脑”。
While he was at OpenAI, Liu also allegedly misused the access of an acquaintance, Yu-Ting Peng, a then-Apple employee who later went to work for OpenAI. Liu allegedly used Peng’s Apple-issued work laptop “while she was still employed at Apple and he was not.” 在 OpenAI 工作期间,Liu 还涉嫌滥用了其熟人 Yu-Ting Peng 的访问权限,后者当时是苹果员工,后来也去了 OpenAI 工作。据称,Liu 在“Peng 仍受雇于苹果而他已离职时”,使用了 Peng 的苹果工作笔记本电脑。
Apple said that during February 2026, Liu “tried to access Apple’s network storage — a cloud-based file repository containing Apple’s confidential engineering files, project documentation, and other proprietary information.” Liu had allegedly discovered that he “still could access Apple’s network repository after leaving Apple, the result of a then-unknown authentication vulnerability.” 苹果表示,在 2026 年 2 月期间,Liu “试图访问苹果的网络存储——一个包含苹果机密工程文件、项目文档和其他专有信息的云端文件库。”据称,Liu 发现他在“离开苹果后仍然可以访问苹果的网络存储库,这是当时一个未知的身份验证漏洞所致。”
Apple did not describe the authentication “bug” that Liu allegedly used to access Apple’s network. However, authentication bugs generally refer to flaws in the login process that allow improper access to systems or data, either because of a weakness in how the login mechanism works or due to a misconfiguration, such as overbroad permissions or not decommissioning the login credentials of a former employee. 苹果没有描述 Liu 涉嫌用于访问其网络的身份验证“漏洞”。然而,身份验证漏洞通常指登录过程中的缺陷,这些缺陷允许对系统或数据进行不当访问,原因可能是登录机制的工作方式存在弱点,或者是配置错误,例如权限设置过宽或未注销离职员工的登录凭证。
Apple wrote in its complaint that when Liu learned he had unauthorized access to Apple’s systems, he did not report the bug to Apple under his employment agreement obligations, nor did he return his Apple-issued work laptop. The complaint added that Liu also failed to “delete the program that allowed the access” to Apple’s network. 苹果在诉状中写道,当 Liu 发现自己可以未经授权访问苹果系统时,他并未根据雇佣协议的义务向苹果报告该漏洞,也没有归还他的苹果工作笔记本电脑。诉状还补充说,Liu 也没有“删除允许访问”苹果网络的程序。
The company did not say what program or app that Liu allegedly used to access Apple’s systems. It’s not uncommon for employees to have tools, such as a work-approved VPN or remote-viewing app, that allow them to access sensitive data from outside of the company’s offices using their credentials. 苹果公司并未说明 Liu 涉嫌使用什么程序或应用程序来访问其系统。员工拥有诸如工作批准的 VPN 或远程查看应用程序等工具,允许他们使用自己的凭证在公司办公室外访问敏感数据,这种情况并不罕见。
Given that Liu was previously granted credentials to Apple’s network as an employee, TechCrunch asked Apple when the company decommissioned Liu’s access, but we did not hear back. Once Liu allegedly gained access to the network share, he wrote to Peng: “LOL, I found out I can access the [network storage], so funny.” 鉴于 Liu 此前作为员工被授予了苹果网络的访问凭证,TechCrunch 询问苹果公司何时注销了 Liu 的访问权限,但未得到回复。据称,在 Liu 获得网络共享访问权限后,他曾写信给 Peng:“哈哈,我发现我可以访问[网络存储],真好笑。”
Apple filed its suit in the U.S. District Court for the Northern District of California in San Jose, and has demanded a jury trial. OpenAI previously said it has “no interest in other companies’ trade secrets.” The case, if it proceeds, could begin this year. 苹果已在加利福尼亚州圣何塞的美国联邦地区法院提起诉讼,并要求进行陪审团审判。OpenAI 此前曾表示,它“对其他公司的商业机密不感兴趣”。如果案件继续进行,可能会在今年开庭。