As hard as it is to believe someone inside Apple would leak the
firmware, it just as hard to believe such a leak was possible. The
firmware was live on the internet, protected only through obscured
URL. That means, when the URLs were leaked, anyone could access
the firmware. No VPN, login credentials, or other security checks
It’s absolutely the fault of the leaker but my guess is that the
days of security through obscurity are done and Apple locks down
the firmware delivery process ASAP.
I don’t want to get into a “blame the victim” scenario, but Ritchie makes a good point here. The wrongdoer is the person who leaked the URLs. But given how sensitive these GM builds of iOS 11 were, there’s no way they should have been publicly accessible. The richest company in the world — and a computer company at that — must do better than security by obscurity.