In a shocking development, a security researcher previously lauded by Apple for contributing to vulnerability discovery is now under scrutiny for allegedly defrauding the tech giant of approximately $2.5 million. Noah Roskin-Frazee, associated with ZeroClicks Lab, has come under the spotlight for exploiting a vulnerability in Apple’s system, leading to a complex series of deceptive practices.
The Breach: How Roskin-Frazee and Latteri Exploited Apple’s System
Roskin-Frazee identified a vulnerability in Apple’s backend system called Toolbox and collaborated with Keith Latteri for an escalation attack. The duo successfully gained access to Toolbox and even infiltrated an employee account of a third-party company assisting Apple with customer support. Under false identities, they manipulated orders for various Apple products, setting the payable sum to zero dollars. This allowed them to acquire iPhones, laptops, and gift cards without incurring any cost.
The astonishing sequence of events raises questions about Apple’s security measures and the timing of the company’s acknowledgment of the researcher’s contributions, which occurred just two weeks after the arrest. Reports also suggest that one of the researchers extended an Apple Care subscription for themselves and their family, potentially exposing their identity in the process.
As investigations unfold, the incident serves as a reminder of the ongoing challenges tech companies face in maintaining robust cybersecurity measures against sophisticated attacks.