Wednesday, February 21, 2024

Ads by Google

Ads by Google

Jurist Fali Nariman regretted representing Union Carbide in Bhopal gas tragedy case: All the details here..

Feb 21, 2024, 04:48PM ISTSource: TOI.inJurist Fali S Nariman, who passed away at 95, leaves a legacy of landmark cases and accolades. Recognized as...
HomeTechHow a security researcher scammed Apple of $2.5 million

How a security researcher scammed Apple of $2.5 million

Security researchers are usually a boon to organisations but become trouble when they break into the company to steal millions. A similar incident occurred with one of the most valuable companies on earth,

Apple

. A security researcher with a track record of helping the

iPhone

maker identify and plug vulnerabilities in its software duped the company of $2.5 million.

According to a report by 404 Media, a “legitimate presenting security researcher who has reported multiple vulnerabilities to Apple” allegedly exploited a loophole and scammed the company of gift cards and products. What is interesting is that this researcher, Noah Roskin-Frazee – who works for ZeroClicks Lab – has been credited by Apple for multiple CVE reports, including help with wifi vulnerabilities.
He has been “charged with allegedly breaking into a system connected to Apple’s backend, and then using that access to defraud the tech giant out of $2.5 million worth of gift cards and electronics,” the report said, citing court records. He, along with an alleged co-conspirator, was arrested two weeks after Apple thanked him.
How security researcher exploited the bug

The court records suggest that the researcher and his accomplice used a password reset tool to gain access to an employee account belonging to a company described as Company B. Reportedly, this could be a third-party firm operating customer support services for Apple.
“During the course of the scheme, the defendant and co-conspirators attempted to fraudulently obtain over $3 million in Company A [Apple] products and services through more than two dozen fraudulent orders,” the indictment reads.

That Apple employee account was used to access more accounts, one of which gave access to its VPN servers, giving them access to Apple’s Toolbox system. Reportedly, they placed orders under false names and used Toolbox to change the sums payable to $0.
For the completed orders, the accused obtained around $2.5 million in electronic gift cards and more than $100,000 in “products and services.” Many of these gift cards and products were then resold to third parties, the report said.

Stay Informed: Subscribe to Our Latest News Updates Be the First to Know! Subscribe to Our Latest News Notifications for Up-to-Date Information, Exciting Announcements, and Exclusive Content. Stay Ahead of the Curve, Sign up Today! No Yes