A security researcher was thanked by Apple in OS patch notes just days after being indicted in a scheme that allowed him to steal millions of dollars worth of Apple products, gift cards, and services.
Noah Roskin-Frazee, a security researcher affiliated with ZeroClicks Lab, has been praised by Apple for identifying software vulnerabilities. However, he has recently come under scrutiny for exploiting a vulnerability that enabled him to steal a whopping $2.5 million worth of iPhones, Macs, and gift cards.
According to 404Media, Roskin-Frazee found a vulnerability in Toolbox, a backend system that Apple uses to place orders on hold. While on hold, orders can still be edited.
He, along alleged co-conspirator Keith Latteri, used a password reset tool to gain access to an employee account of a third-party company that helped Apple with customer support. Once they accessed the employee credentials, they accessed Apple's systems and placed fraudulent orders for Apple products.
The pair started the scheme in December 2018 and continued until at least March 2019.
The two would create and manipulate orders, adding products like iPhones and Macs and changing the cost to zero. They also would order gift cards that could be used in Apple stores or resold.
While they used false names and drop shipping addresses for the physical products, one extended AppleCare for two years for himself and his family.
Perhaps one of the most interesting things to come out of the story is that two weeks after Roskin-Frazee was arrested, Apple thanked him publicly on its website.
There's big business in software vulnerabilities — both in finding them and exploiting them.
Jamf Threat Labs recently worked out a proof-of-concept post-exploitation tampering technique that makes an iPhone behave like it is in Lockdown Mode when it isn't.