Good turns to the dark side

Instead of reporting the vulnerability, Noah Roskin-Frazey, who works at ZeroClicks Lab, used it to scam gift cards and merchandise worth approximately $2.5 million. Most interestingly, he once received a “special thank you from Apple for helping fix WiFi vulnerabilities” and is also the author of numerous reports on other vulnerabilities.

Roskin-Frazee reportedly found a security vulnerability in an internal Apple system known as Toolbox. This is a system where a company puts orders on hold and they can be edited in the meantime.

404Media reported that he used an escalation attack to break into the system with the help of fellow researcher Keith Lateri. Both used a password reset tool to gain access to an employee account at a company identified only as “Company B” but appearing to be a third-party Apple customer support firm.

This account was used to access other accounts at the same company; one of them provided access to VPN servers. They were reportedly able to access Apple’s Toolbox system from there.

• The report says they We used Toolbox to change the $0 amount after placing orders under fictitious namesand added additional devices “like phones and laptops” to orders at no additional cost.
• Other orders whose value has been reset are; Gift cards can then be used for purchases or resold at Apple stores for a high percentage of their face value.
• Although false names and delivery addresses were used for the goods, one of the two defendants also used the system to AppleCare contract extension for himself and his family.