Connect with us

Tech

Apple says former employee exploited ‘rare’ bug to download confidential files after leaving for OpenAI

On Friday, Apple dropped the bombshell news it was suing OpenAI over the alleged theft of trade secrets, claiming that OpenAI stole Apple’s confidential data and engaged in efforts to learn proprietary information while recruiting former Apple employees.

In accusing OpenAI of stealing secrets about Apple’s unreleased products, Apple revealed that a former employee allegedly siphoned reams of sensitive files from the company’s shared network folders, weeks after leaving Apple for a job at OpenAI.

In its complaint, Apple says the former employee, a system electrical engineer named Chang Liu, allegedly “exploited a rare, previously unknown authentication bug” that allowed access to the company’s network. The bug is classified as a zero-day vulnerability, meaning that Apple had no time to fix it before it was allegedly exploited.

Apple has since fixed the bug and said it terminated the employee’s access once it learned of this “security breach.” In its complaint, Apple said the bug could have allowed a “few other” people to access data on its network, but alleged that only Liu exploited the bug to steal Apple’s confidential information while no longer an employee, citing a check of its server logs. 

The disclosure, while light in detail, highlights the challenges that organizations face with protecting sensitive corporate data after employees no longer work there. Companies often move to immediately cut off departing staff from further access to protect any sensitive information from leaving, including inadvertently. Companies that fail to fully decommission their employees’ accounts can face future security lapses, data breaches, or malicious actions by disgruntled staff.

Apple spokespeople did not respond to an email from TechCrunch with questions about the security vulnerability, how it was exploited, and when the company decommissioned the employee’s credentials.

“LOL… so funny.”

In the complaint, Apple alleged that Liu took “dozens of Apple’s confidential hardware-related files” over the course of several weeks while as a new OpenAI employee. 

Apple said the files contained “detailed information about unreleased products, engineering presentations, technical specifications, and proprietary project data.” 

The company claims Liu failed to return the Apple-issued work laptop he had previously used to access Apple’s network, suggesting it was once able to send and receive files from Apple’s internal systems. The complaint said that Liu allegedly claimed to have “another computer.” While he was at OpenAI, Liu also allegedly misused the access of an acquaintance, Yu-Ting Peng, a then-Apple employee who later went to work for OpenAI. Liu allegedly used Peng’s Apple-issued work laptop “while she was still employed at Apple and he was not.”

Apple said that during February 2026, Liu “tried to access Apple’s network storage — a cloud-based file repository containing Apple’s confidential engineering files, project documentation, and other proprietary information.”

Liu had allegedly discovered that he “still could access Apple’s network repository after leaving Apple, the result of a then-unknown authentication vulnerability.”

Apple did not describe the authentication “bug” that Liu allegedly used to access Apple’s network. However, authentication bugs generally refer to flaws in the login process that allow improper access to systems or data, either because of a weakness in how the login mechanism works or due to a misconfiguration, such as overbroad permissions or not decommissioning the login credentials of a former employee. 

Apple wrote in its complaint that when Liu learned he had unauthorized access to Apple’s systems, he did not report the bug to Apple under his employment agreement obligations, nor did he return his Apple-issued work laptop. 

The complaint added that Liu also failed to “delete the program that allowed the access” to Apple’s network. The company did not say what program or app that Liu allegedly used to access Apple’s systems. It’s not uncommon for employees to have tools, such as a work-approved VPN or remote-viewing app, that allow them to access sensitive data from outside of the company’s offices using their credentials.

Given that Liu was previously granted credentials to Apple’s network as an employee, TechCrunch asked Apple when the company decommissioned Liu’s access, but we did not hear back.

Once Liu allegedly gained access to the network share, he wrote to Peng: “LOL, I found out I can access the [network storage], so funny.”

Apple filed its suit in the U.S. District Court for the Northern District of California in San Jose, and has demanded a jury trial. OpenAI previously said it has “no interest in other companies’ trade secrets.”

The case, if it proceeds, could begin this year.

When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.

source

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Tech

Iran abused mobile networks’ vulnerabilities to locate US military in the Middle East, report says

The Iranian government abused well-known vulnerabilities in the global telecoms infrastructure to locate U.S. military personnel in the build-up to the Iran War, as well as in the early days of the conflict, according to Financial Times.

The Iranian government exploited Signaling System 7, or SS7, a set of protocols for 2G and 3G networks that has long been the backbone of how cellular networks connect to each other to route subscribers’ calls and texts around the world, the newspaper reported, citing research by the Mobile Surveillance Monitor, as well as anonymous government officials with knowledge of the spy campaign. 

Intelligence agencies have long abused SS7 to track cellphones abroad, which is what happened in this campaign. 

Using this technique, Iran was reportedly able to locate U.S. military forces stationed in military bases as well as hotels in Iraq, Bahrain, and other countries in the Middle East, which allowed the regime to strike them. These attacks resulted in several injuries

Apart from SS7, Iran also abused advertising technology used to serve tailored ads to cellphone users, another well-known surveillance technique that relies on everyday technology.

source

Continue Reading

Tech

Google Images gets a Pinterest-like redesign focused on discovery

Google Images, the tech giant’s image search engine, is taking on Pinterest with its latest redesign that turns the site into a browsable, dynamic gallery of images from across the web. Google is also adding a way for users to create AI images right in Search, as it celebrates 25 years since the debut of Google Images.

Pinterest has long been known for allowing people to browse and save visual inspiration for everything from fashion to home decor. With this redesign, Google is essentially copying that playbook by turning Google Images into a place for discovery and inspiration, and not just search, which could increase users’ time spent on Google platforms, helping boost its ad revenue.

In addition, Google is likely hoping that when users can’t find the image they’re looking for on Google Images or when they want to visualize something, they’ll stay within its ecosystem to create it rather than turn to third-party services like ChatGPT.

Image Credits:Google

After navigating to the redesigned Google Images, users will see a “For You” gallery of images tailored to their interests and browsing history. Like Pinterest, the gallery is designed for continuous browsing, with Google saying it updates in real time with new images.

As users browse, they can save ideas to their “collections,” which will appear as tabs above the main gallery of photos. For example, users can create collections for things like vacation outfit ideas, travel inspiration, and ways to design a reading nook, which they can come back to later.

The redesign is rolling out over the coming weeks on desktop in the U.S. in English. Users need to be signed into a Google Account to try it out, the tech giant says.

Image Credits:Google

As for generating images directly in Search, Google says the feature is meant for moments when you have a highly specific idea for an image that doesn’t already exist online. Google is bringing image generation directly into AI Overviews on Search and will use its latest Nano Banana model to transform a text prompt into a custom visual.

The feature can also help users reimagine spaces and visualize ideas, such as seeing what a room might look like painted red or what a dorm room with a coastal theme could look like.

Image generation in AI Overviews will start to roll out over the coming weeks in English for all regions that currently support image creation in AI Mode, Google says.

When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.

source

Continue Reading

Tech

Meta’s Adam Mosseri says AI token budgets could soon be capped per engineer

In a recent interview, Instagram head Adam Mosseri said he can see a time in the future, perhaps only a year or two, when putting limits on Meta employees’ AI token spend will become necessary.

“I think that you can imagine, at least in a year or two … that the burn rate of a strong engineer might be the same as their salary, or their cost of employment. And in that world, you’re going to probably need to put in some caps,” the Meta executive said, while speaking on Lenny’s Podcast.

AI token spend, a reference to the cost of processing AI prompts and responses, has been a much-buzzed-about subject in recent days. Meta shut down an internal AI token spend leaderboard after AI costs put the company on track for billions of dollars in 2026.

Meta is not alone in rethinking its approach to AI experimentation. Uber also had an AI reckoning after it blew through its 2026 AI coding budget by April. Soaring token costs saw Microsoft cancel Claude Code licenses, consolidating its engineers around its own Copilot CLI tool instead.

Mosseri’s belief, he explained, is that AI token costs will have to be managed just like any other resource, offering an analogy to things like payroll or operating expenditure (OpEx), which is the day-to-day costs of running a business.

“I think of it like…any other resource,” Mosseri said. “I have to decide how to deploy capacity to my different teams because I have a limited number of GPUs and CPUs and storage and RAM etc. I have to decide how to deploy OpEx for labeling budgets across my teams. I have to decide how to deploy payroll for headcount across my teams.”

Token budgets will be the same, he added, noting that the cap per engineer would have to be proportional to the company’s trust in their ability to use the budget in an “ROI-positive” way.

Meta doesn’t currently have token caps for any employee, Mosseri said, but he believes that their use could be healthy in the future. Further down the road, he expects token costs to come down as the AI model makers enter a pricing war to attract people to use their tools over their competitors.

For now, the company has managed to rein in its token costs a bit by shutting down the “silly things” that it was doing, Mosseri noted — like that token spend leaderboard.

“It’s not that hard to build a token incinerator, and that doesn’t create a lot of value,” he said.

When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.

source

Continue Reading