Skip to main content

Security researcher used Apple systems to scam $2.5M of iPhones, Macs, and gift cards

A security researcher with a track record of helping Apple identify vulnerabilities in its software seemingly found one particular security hole too tempting.

Instead of reporting it to the Cupertino company, he allegedly exploited it to scam the company out of gift cards and products worth some $2.5 million …

Noah Roskin-Frazee, who works for ZeroClicks Lab, is credited by Apple for multiple CVE reports, and was specifically thanked by Apple for help with wifi vulnerabilities.

We would like to acknowledge Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab) for their assistance.

What’s unusual about this is that the thanks came two weeks after he was arrested for allegedly defrauding Apple out of $2.5M.

Roskin-Frazee reportedly found a vulnerability in an Apple backend system known as Toolbox. This is described as a system within which the company places orders on hold, during which time they can be edited.

404Media reports that he used an escalation attack to gain access to this, with apparent assistance from fellow researcher Keith Latteri.

First, it says, they used a password reset tool to gain access to an employee account belonging to a company described only as Company B, but which appears to be a third-party firm operating customer support services for Apple.

That account was used to access further accounts within the same company, one of which gave access to its VPN servers. This was the point at which they were reportedly able to access Apple’s Toolbox system.

The report says they placed orders under false names, then used Toolbox to change the sums payable to $0, as well as adding additional devices to orders, “such as phones and laptops,” without any additional charges being triggered.

Other orders whose values were changed to zero were for gift cards, which could then be used to make purchases from Apple stores or resold for a high percentage of their face value.

The most inexplicable aspect of the report is that while false names and drop shipping addresses were used for the products, one of the two defendants apparently used the system to extend an AppleCare contract for him and his family.

404Media says that lawyers for the two defendants did not respond to a request for comment.

Photo by Carles Rabada on Unsplash

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications