A security researcher discovered a specific vulnerability and then decided not to notify Apple. On the other hand.
Noah Roskin-Frazee, who works for ZeroClicks Lab, is credited by Apple with being responsible for numerous CVE reports and has been repeatedly thanked by the company for his help in finding several Wi-Fi vulnerabilities. This time the researcher decided not to report the discovery to Apple, but to They exploited the vulnerability to defraud the company of gift cards and products worth approximately $2.5 million.
One curious aspect is that Apple's final thanks to Noah Roskin-Frazee for discovering a security flaw came two weeks after the man's arrest Apple defrauded of $2.5 million.
Accordingly reportedRoskin-Frazee has found a vulnerability in an Apple backend system called Toolbox. This is a system whereby the company puts orders on hold, after which orders can be changed.
The researcher used a password reset tool to gain access to an employee account belonging to a company identified only as Company B, but which appeared to be a third-party company that manages customer support services for Apple.
This account was used to access other accounts within the same company, one of which allowed access to its VPN server. The man reportedly managed to reach this point Access to the Apple Toolbox system.
The report said the researcher placed orders under false names and then used Toolbox to change the amounts payable to $0, as well as add additional devices to the orders, “such as phones and laptops,” without any additional charges fees were charged.
Other orders that had their value reduced to zero were for gift cards that could then be used to make purchases at Apple Stores or resell them.
The most inexplicable aspect of the story is that although the products used false names and shipping addresses, the researcher's employee allegedly used the system to renew an AppleCare contract for himself and his family. And he was caught along with his accomplice.