Security researcher used Apple systems to scam $2.5M

Share via:


A security researcher with a track record of helping Apple identify vulnerabilities in its software seemingly found one particular security hole too tempting.

Instead of reporting it to the Cupertino company, he allegedly exploited it to scam the company out of gift cards and products worth some $2.5 million …

Noah Roskin-Frazee, who works for ZeroClicks Lab, is credited by Apple for multiple CVE reports, and was specifically thanked by Apple for help with wifi vulnerabilities.

We would like to acknowledge Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab) for their assistance.

What’s unusual about this is that the thanks came two weeks after he was arrested for allegedly defrauding Apple out of $2.5M.

Roskin-Frazee reportedly found a vulnerability in an Apple backend system known as Toolbox. This is described as a system within which the company places orders on hold, during which time they can be edited.

404Media reports that he used an escalation attack to gain access to this, with apparent assistance from fellow researcher Keith Latteri.

First, it says, they used a password reset tool to gain access to an employee account belonging to a company described only as Company B, but which appears to be a third-party firm operating customer support services for Apple.

That account was used to access further accounts within the same company, one of which gave access to its VPN servers. This was the point at which they were reportedly able to access Apple’s Toolbox system.

The report says they placed orders under false names, then used Toolbox to change the sums payable to $0, as well as adding additional devices to orders, “such as phones and laptops,” without any additional charges being triggered.

Other orders whose values were changed to zero were for gift cards, which could then be used to make purchases from Apple stores or resold for a high percentage of their face value.

The most inexplicable aspect of the report is that while false names and drop shipping addresses were used for the products, one of the two defendants apparently used the system to extend an AppleCare contract for him and his family.

404Media says that lawyers for the two defendants did not respond to a request for comment.

Photo by Carles Rabada on Unsplash

FTC: We use income earning auto affiliate links. More.



Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Popular

More Like this

Security researcher used Apple systems to scam $2.5M


A security researcher with a track record of helping Apple identify vulnerabilities in its software seemingly found one particular security hole too tempting.

Instead of reporting it to the Cupertino company, he allegedly exploited it to scam the company out of gift cards and products worth some $2.5 million …

Noah Roskin-Frazee, who works for ZeroClicks Lab, is credited by Apple for multiple CVE reports, and was specifically thanked by Apple for help with wifi vulnerabilities.

We would like to acknowledge Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab) for their assistance.

What’s unusual about this is that the thanks came two weeks after he was arrested for allegedly defrauding Apple out of $2.5M.

Roskin-Frazee reportedly found a vulnerability in an Apple backend system known as Toolbox. This is described as a system within which the company places orders on hold, during which time they can be edited.

404Media reports that he used an escalation attack to gain access to this, with apparent assistance from fellow researcher Keith Latteri.

First, it says, they used a password reset tool to gain access to an employee account belonging to a company described only as Company B, but which appears to be a third-party firm operating customer support services for Apple.

That account was used to access further accounts within the same company, one of which gave access to its VPN servers. This was the point at which they were reportedly able to access Apple’s Toolbox system.

The report says they placed orders under false names, then used Toolbox to change the sums payable to $0, as well as adding additional devices to orders, “such as phones and laptops,” without any additional charges being triggered.

Other orders whose values were changed to zero were for gift cards, which could then be used to make purchases from Apple stores or resold for a high percentage of their face value.

The most inexplicable aspect of the report is that while false names and drop shipping addresses were used for the products, one of the two defendants apparently used the system to extend an AppleCare contract for him and his family.

404Media says that lawyers for the two defendants did not respond to a request for comment.

Photo by Carles Rabada on Unsplash

FTC: We use income earning auto affiliate links. More.



Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at office@startupnews.fyi

More like this

Instagram co-founder backs startup helping devs fend off AI

CodeCrafters’ platform helps experienced programmers stay ahead of...

Microsoft announces Mac mini-sized PC, but it only works...

Microsoft on Tuesday announced a new product called...

PSA: You shouldn’t upload your medical images to AI...

Here’s a quick reminder before you get on...

Popular

Upcoming Events

Startup Information that matters. Get in your inbox Daily!