What has Apple reminded well-known security researcher, Charlie Miller, along with the rest of the world of?No good deed goes unpunished.
Miller recently discovered a major bug in the iOS platform that was allowing him to turn a seemingly benign iOS app into a more dangerous one by running unsigned code on the user’s iPhone or iPad.
The flaw brought on the ability for a malicious developer to open a backdoor on an iPhone or iPad device and funnel sensitive data – such as an address book or photos stored on the device – out of the iOS device and upload it to a remote command and control server belonging to the bad guy.
Any iOS device running 4.3 could potentially be at risk thanks to the bug uncovered by Miller.
Miller’s findings prove that although Apple has done a decent job in protecting the iOS platform from malicious apps by performing comprehensive reviews of each individual app before allowing it into the iTunes store, nothing is 100% secure.
After all, Miller demonstrated how an ill-willed developer can exploit the bug using his very own app, Instastock, which was accepted into the iTunes store back on September 14th in the YouTube video below:
Crazy, huh?
Miller notified Apple of his findings on October 14th and expected them to quickly issue a patch for the vulnerability given the seriousness of it.
However, Apple seemed less than grateful of Miller’s good samaritan ways and not only removed his Instastock app from the iTunes store, but kicked him out of the iOS Developer program and banned him for one year.
Like the rest of us would do in this situation, Miller took to Twitter to share the news:
@0xcharlie:
OMG, Apple just kicked me out of the iOS Developer program. That’s so rude!
@0xcharlie:
First they give researcher’s access to developer programs, (although I paid for mine) then they kick them out..for doing research. Me angry
As far as why Miller decided to actually submit an app that he’d later use to prove his bug findings:
@0xcharlie:
For the record, without a real app in the AppStore, people would say Apple wouldn’t approve an app that took advantage of this flaw.
While we can all understand why Apple would be a bit ticked off at someone for uncovering a flaw in their platform and it is a bit odd that it took Miller so long to report the bug, Apple may be sending the wrong message to researchers by punishing those who try to help. Why would anyone bother pointing out another bug if they're just going to end up banned?
What do you think? Was Apple a bit harsh on Charlie or was their decision justified? Share your thoughts below!
Photo Credit: oliverlindner
Be sure to follow us on Twitter at @hyphenet or “Like” us on Facebook to stay up-to-date on the latest tech news and security threats.
No comments:
Post a Comment