A security researcher with a track record of helping Apple identify vulnerabilities in its software seemingly found one particular security hole too tempting.

Instead of reporting it to the Cupertino company, he allegedly exploited it to scam the company out of gift cards and products worth some $2.5 million …

Noah Roskin-Frazee, who works for ZeroClicks Lab, is credited by Apple for multiple CVE reports, and was specifically thanked by Apple for help with wifi vulnerabilities.

We would like to acknowledge Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab) for their assistance.

What’s unusual about this is that the thanks came two weeks after he was arrested for allegedly defrauding Apple out of $2.5M.

Roskin-Frazee reportedly found a vulnerability in an Apple backend system known as Toolbox. This is described as a system within which the company places orders on hold, during which time they can be edited.

404Media reports that he used an escalation attack to gain access to this, with apparent assistance from fellow researcher Keith Latteri.

First, it says, they used a password reset tool to gain access to an employee account belonging to a company described only as Company B, but which appears to be a third-party firm operating customer support services for Apple.

That account was used to access further accounts within the same company, one of which gave access to its VPN servers. This was the point at which they were reportedly able to access Apple’s Toolbox system.

The report says they placed orders under false names, then used Toolbox to change the sums payable to $0, as well as adding additional devices to orders, “such as phones and laptops,” without any additional charges being triggered.

Other orders whose values were changed to zero were for gift cards, which could then be used to make purchases from Apple stores or resold for a high percentage of their face value.

The most inexplicable aspect of the report is that while false names and drop shipping addresses were used for the products, one of the two defendants apparently used the system to extend an AppleCare contract for him and his family.

404Media says that lawyers for the two defendants did not respond to a request for comment.

Photo by Carles Rabada on Unsplash