Feeds

back to article Apple expels serial hacker for publishing iPhone exploit

Charlie Miller, the serial hacker who has exposed more than a dozen critical vulnerabilities in Apple's Mac and mobile platforms, was kicked out of the company's iOS developer program after publishing an application that demonstrated a serious new bug in iPhones and iPads. Miller's InstaStock app, which was accepted into the …

COMMENTS

This topic is closed for new posts.

Page:

FAIL

Don't shoot the weatherperson...

...unless you want to get wet!

2
1
Gold badge

Apple notified first

I read elsewhere that he only uploaded the app to the app store after he notified Apple and they failed to acknowledge the problem (or fix it).

3
0
Black Helicopters

If Apple had any brains..

..they would hire this guy and make the usual PR noise about it..

4
1
Anonymous Coward

seems Apple can't take criticism. Oh dear.

8
1

perhaps I was wrong...

Maybe the Jobs ignorance will live on after his death....what a shame.

2
1
Pint

Haha!

Haha!

Nothing more nothing less.

Ho, and i'll drink to that.

0
0
Devil

This will be a long thread :-)

0
0
Silver badge

Reasonable disclosure

Did he tell Apple first?

If not he's just a publicity seeking tosser and Apple are in the right.

If he did then shame on Apple.

3
2
Coffee/keyboard

Some thing biblical here

Apple expels ... hacker

Walled garden

Tree of knowledge

Apple bitten

Hacker/humanity expelled.

right & wrong confused ... you do the math.

2
0

Poor Baby

So he finds a flaw - commendable

Then he puts that flaw into an app and lets it be sold for 2 months.

And then he wonders why Apple, a company not known for taking a joke, canned his developer access?

He either needs to be saying he was trying to expose Apples weak app store application process (if that was the reason) and take the hit or admit that he really messed up.

2
8
Silver badge

"And then he wonders why Apple, a company not known for *taking security seriously*, canned his developer access?"

FTFY.

And from the story it doesn't sound like he's wondering why Apple canceled his access. I think he knows exactly why - their market depends heavily on a ludicrous mythology of "quality" and special exemption from the evils of the world, and they're much more interested in protecting that than they are in securing their products.

1
0
Silver badge
Pirate

That's the trouble with Apple....

....no sense of humour. Boring buggers.

GJC

6
2
Silver badge

Give him a job

It would have made more sense to give him a job fixing their products ... odd how quickly they react when this happens ... so I assume they'll have the bug fixed tomorrow eh?

5
1
Silver badge
FAIL

Apple fanboi is hurt?

"So as unfortunate as the iOS vulnerability is, it's worth remembering that what Miller is able to achieve with InstaStock is essentially what has been possible on Android handsets for more than a year"

Thanks for exposing yourself as fanboi ;)

(I care about the facts, not the added emotions)

6
4
Bronze badge
Holmes

Omg I break the rules and they kick me out!

It can't be me sitting here thinking wth was he thinking, of course they will tell you to leave as they only want smug people not saying "LOOK HERE A BUG!!"

1
2
Bronze badge
FAIL

Already notified Apple

Ok reading above he already notified Apple so I have to admit that my statement was based on I thought he hadn't notified them.

So I fail I think

0
0
Anonymous Coward

“Now I have to wait until it comes out and if they screwed it up no one will know until it's too late.”

Too late for what? He already announces the vulnerabilities without giving Apple a chance to fix them, so why shouldn't they pull his developer account? He doesn't care about the security, just the attention.

2
6

An interesting article about a developer finding exploits and the reaction of the company to public disclosure of the exploit. But what relevance does it have with Android?

"So as unfortunate as the iOS vulnerability is, it's worth remembering that what Miller is able to achieve with InstaStock is essentially what has been possible on Android handsets for more than a year."

Are you trying to start arguments?

6
0
Go

Balanced?

I wondered about that myself.

Perhaps it's balanced reporting.

Perhaps it's a way to stop an argument from flaring up in the comments between various flavours of zealot.

Perhaps just drawing a comparison.

Perhaps it's none of those things.

2
1
Silver badge

Um?

Shouldn't Apple's review process have caught out this 'secret hack', or is it basically reduced to being picky about the UI and acting as Pornographer General?

8
1
WTF?

11 comments> Where are they?

Strange, when I open the article I see there should be 11 comments, but none are visible yet.

Did they all mention the fallacy that is inherent in trying to justify Apple's behaviour and the existence of holes in iOS by pointing to android?

We all know by now that android is the touching stone for mobile OSs, no need to keep pointing to it when the article is about iOS or Apple touchiness.

4
0

I think that point was there to try and head off a load of pointless bragging from Fandroids.

1
3
Trollface

"So as unfortunate as the iOS vulnerability is, it's worth remembering that what Miller is able to achieve with InstaStock is essentially what has been possible on Android handsets for more than a year."

So as per usual, Apple is playing catch up with something that Android has been doing for ages?

FLAME ON!

9
0
Gold badge
Coffee/keyboard

<-- New keyboard please :)

1
0
FAIL

Actually...

When you've finished trying to be funny I think you'll find Android copied Apples patent of "Shit happens when shit happens", when they introduced that bug. So Apple thought of it aaaaaaaages ago, they just didn't want to add the feature to the early iPhones.

1
0
FAIL

Doh

He published malware onto the appstore, which has almost certainly been downloaded by users given its been up there for over a month, has been testing live payloads, and he's surprised they pulled his account?

Critical thinking fail.

4
4
FAIL

Original article on forbes...

http://www.forbes.com/sites/andygreenberg/2011/11/07/apple-exiles-a-security-researcher-from-its-developer-program-for-proof-of-concept-exploit-app/

Quote: "Miller has found and reported dozens of bugs to Apple in the last few years, and had alerted Apple to this latest flaw on October 14th."

There's nothing wrong with my critical thinking, thanks...

2
0
Devil

The timing is everything in this story...

How long had Miller known about this bug? When did his app go live on the store? How long did it take for him to build his app and for it to progress through Apple's convoluted verification progress?

It's almost a certainty that he knew about the bug long ago, while iOS5 was still in beta, and yet he waited until 2 days after iOS5 had been released to the public before he informed Apple.

The man is, and always has been, a self-publicising arse. He has a track record of presenting his vulnerabilities such that Apple looks as bad as possible. However, this effort, deliberately placing malware on the app store and timing his report to Apple so that it was far too late for them to address his concerns, is low even by his standards.

5
6
Stop

where?

Where does it say that he waited till 2 days after the release of iOS5 to tell Apple? It doesn't say when he told Apple but you seemed to think it is when he went public with the flaw.

Reading the article suggests to me that he had told Apple, and they didn't fix it, so he went public.

He says being booted off the dev programme means he can't find flaws before they are release to live suggests that he does indeed tell them before the code goes live.

Of course this is just my take one it, but I'm not looking through Apple shapes glasses....

2
1
Big Brother

First I am the Lord thy Apple, thou shalt not bear false (or true) witness against me.

But how3 many people were kicked out of the Android development for highlighting the flaw in Android???????

Any chance that crApple will be terminated from the iOS Developer Program for “hiding, misrepresenting and obscuring features, content, services and/or functionality”

2
1
Linux

you, sir, just failed

1) there is no being kicked out of android development - only the Marketplace

2) Many have written malware exploiting android's (and the user's) weaknesses. Many (impossible to know if all) have been kicked out of the Marketplace

0
0

one wonders....

.... if he notified apple about the exploit before publishing it?

1
2

Re: one wonders....

He probably did. However, I very much doubt he also said, "oh and by the by, if you wanna check out the bug, just download my app from the PRODUCTION APP STORE and I'll hack your iPhone so you can see."

0
0

Does one wonder?

Well, wonder no more.

He knew about the bug in March, developed an exploit and placed his malware on the App store by September, but did not inform Apple until October 14th.

The man is an arse!

0
2
Silver badge

In some ways whether or not he did is irrelevant.

The approval process should involve some vetting, and that vetting should have found the code that was doing stuff that wasn't described in the application. It's not like the real bad guys are going to say, 'Please approve our app which includes code that exploits a vulnerability in your OS.'

1
0

A title is optional

"So as unfortunate as the iOS vulnerability is, it's worth remembering that what Miller is able to achieve with InstaStock is essentially what has been possible on Android handsets for more than a year."

And iOS 4.3 has been around for... about a year, including beta. Just because Miller is the first to tell anyone about it doesn't mean the vulnerability wasn't there before.

1
0
Gold badge

Awww diddums. At times I feel these security researchers are doing it for their ego rather than the good of the companies they submit their bugs to.

The feeling of power and being able to screw over big companies becomes too tempting for some of them.

3
3
Holmes

Job offer

There's a rumour he's been offered a job my MS

http://www.theverge.com/2011/11/8/2546435/researcher-who-exposed-an-ios-app-vulnerability-loses-his-developer

0
0
Happy

No rough play !

Love the "Now play nicely kids" comment in the last sentence of the article

0
0
Silver badge
Gimp

Canned his account! Seriously?

You don't think he's got more than one developer account? Not exactly hard things to get.

Apple prove once again that their PR people have no clue how to deal with anyone who falls outside their Fanbois vision

3
0

strange lack of criticism of Apple from the fanbois... or hasn't the penny dropped yet that the walled garaden doesn't protect you from malware?

Here's an app, approved and accepted by Apple, that contains malware. Users are unaware of it, there's nothing to indicate that the app is malicious. If this can be done by a researcher, you can bet that it will be done by the less-savoury side of society.

The walled garden my look pretty, but, you've no idea what's going on under the surface. At least with Android you can protect yourself, all apps have to declare what permissions they need, and you can see those before installing them. Even then, you can always install a permissions blocker. Does the App Store show you what access an app needs? Can you install permissions blockers?

Bitch and moan about this guy being an attention seeker all you want, all he is doing is pointing out that Apple aren't perfect and the App Store approval process won't protect you.

5
2
Anonymous Coward

Jon Oberheide did something similar on Android; look up Rootstrap and his fake "Twilight: Eclipse" wallpaper app. Google handled things very differently, though. Their security team is allowed to talk to outsiders, and seem genuinely interested in doing so. Warm fuzzies all around. I'm not saying the circumstances are exactly the same (we'll never know both sides of the story here, with Apple's history), but it's safe to say they don't care about spinning things to appeal to technical people that might actually follow such news.

And the Android permissions model is a great idea. Unfortunately, nothing prevents an app from unsafely exposing permission-guarded functionality through its own unsafe interfaces. This is a pretty big problem what with all the custom skins manufacturers add to their firmware in order to shine things up a bit.

2
0
Bronze badge
Alert

Bottom line

"Here's an app, approved and accepted by Apple, that contains malware. Users are unaware of it, there's nothing to indicate that the app is malicious"

That important message does seem to be being lost in the discussion about what happened to the developer.

Whether Android users are really any safer from malicious apps I couldn't say. No one is perfect and there will likely always be some way to slip something through any approval process.

1
0
Silver badge

@thesykes, 13:21

>> Even then, you can always install a permissions blocker. <<

only if you've rooted your phone, which most users haven't. Most of them don't know what that means....

Tbh I'm getting a bit sick of moaning about this, but just to be clear, the permissions system on Android provides very little security unless you just don't install apps. Nearly every app I've looked at has wanted permissions that don't seem relevant to the job it's doing. How many people just click install? I don't, but that's why I've only got about 3 apps installed on my phone...

Holding up android as a way to manage permissions correctly is wrong. There are many threads on the google boards requesting permission control after app install, and many crap programmers moaning that that means they'd have to trap permission exceptions and it's not worth it....

1
2

LBE Privacy Guard

That is all.

1
0
FAIL

@thesykes

I'd read this if I were you

http://blog.duosecurity.com/2011/09/android-vulnerabilities-and-source-barcelona/

And don't forget the HTC data logger

http://www.theregister.co.uk/2011/10/03/htc_android_security/

Don't worry though at the rate Android fixes reach handsets these should all be fixed soon....

0
1

this isn't about Android vulnerabilities though.No, it's not perfect, yes there is malware out there, yes there have been attacks. Doesn't matter.

Concentrate on the real problem. It is possible to plant malware in the App Store and there is noting you can do to stop it.

1
0

"yes there is malware out there, yes there have been attacks. Doesn't matter."

Why does it not matter? Surely as the more popular mobile OS and with it's slow upgrade mechanism it matters more.

"Concentrate on the real problem. It is possible to plant malware in the App Store and there is noting you can do to stop it."

I am concentrating on the real problem. Yes it's a serious flaw in iOS and users are not protected against it. You seem to think Android protects you but as the links in my earlier post prove there is no protection against poor software.

0
1
Alert

The difference between this and android.

Apple would have you believe that it isn't possible at all. It's hard to know if Miller told Apple first. In the past when he's done so Apple have ignored him. I think he knew what to expect here, but Apple have played right into his hands. banning his account for exposing a flaw shows how they take their reputation more seriously than security.

6
2
Mushroom

Does not compute...

"[...] to help them secure their products." Is that the new "full diclosure" procedure - you upload an app, sell it for weeks, make a large number of devices vulnerable to the very flaw you're trying to "help" the vendor with...?

This guy might be taking the "black hat" motive a step too far.

I hope he gets sued by actual users of his trojan, too.

1
5

Page:

This topic is closed for new posts.