404 Media reports that “a legitimate security researcher who reported multiple vulnerabilities to Apple” allegedly exploited the loophole to defraud the company of gift cards and products. What’s interesting is that this researcher, Noah Roskin-Frazee (who works at ZeroClicks Lab), has been recognized by Apple for multiple of his CVE reports, including assistance with Wi-Fi vulnerabilities.
He is charged with “allegedly infiltrating systems connected to Apple’s back end and using that access to defraud the tech giant of $2.5 million worth of gift cards and electronic devices,” the report said. He said, citing court records. He, along with his alleged co-conspirators, was arrested two weeks after Apple thanked him.
How security researchers exploited the bugCourt records suggest that the researcher and an accomplice used a password reset tool to access employee accounts belonging to a company called Company B. This could reportedly be a third-party company that operates Apple’s customer support services.
“During the course of the scheme, the defendant and his co-conspirators attempted to fraudulently obtain more than $3 million from Company A.” [Apple] “Provided products and services through more than 20 fraudulent orders,” the indictment states.
That Apple employee account was used to access more accounts, one of which granted access to a VPN server, which gave access to Apple’s Toolbox system. They reportedly placed orders under false names and used Toolbox to change the payment amount to $0.
For completed orders, the defendants received approximately $2.5 million in electronic gift cards and more than $100,000 in “products and services.” Many of these gift cards and merchandise were then resold to third parties, the report said.