Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Security Researcher Allegedly Exploited Internal Apple Tool to Steal Millions

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
68,120
38,875


A security researcher who reported bugs to Apple was arrested in January for defrauding the company out of millions of dollars, according to a report from 404 Media.

bug-security-vulnerability-issue-fix-larry.jpg

The researcher, Noah Roskin-Frazee, was accused alongside a co-conspirator obtaining over $3 million in products and services through more than two dozen fraudulent orders. That included around $2.5 million in gift cards and over $100,000 in "products and services."

While Apple is not explicitly named in the court records, an unnamed "Company A" is located in Cupertino, California, and is clearly Apple. The court mentions that one of the perpetrators used gift cards to "purchase Final Cut Pro on Company A's App Store," and Apple is the only company that sells the software.

In 2019, Frazee and his accomplice used a password reset tool to gain access to an employee account that belonged to an unnamed "Company B," which does customer support for Apple. That account led to access to additional employee credentials, and Frazee accessed Company B's VPN servers. From there, Frazee was able to get into Apple's systems, placing fraudulent orders for Apple products.

He used Apple's "Toolbox" program that could be used to edit orders after they were placed, and he changed order values to zero, added products to orders, and extended AppleCare contracts. He abused Apple's program from January to March 2019.
The defendants remoted into computers located in India and Costa Rica as part of the scheme, the indictment adds. The scam itself involved changing order monetary values to zero, adding products to existing orders without cost such as phones and laptops, and extending existing service contracts, the indictment adds. That included extending a customer service contract that was associated with one of the defendants and his family for an extra two years without paying.
Click to expand...
Apple thanked Frazee for in a January support document for finding several bugs in macOS Sonoma, and the document was published less than two weeks after he was arrested. "We would like to acknowledge Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab) for their assistance," reads Apple's page in reference to a Wi-Fi vulnerability.

Frazee has been charged with wire fraud, mail fraud, conspiracy to commit wire fraud and mail fraud, conspiracy to commit computer fraud and abuse, and intentional damage to a protected computer. He will be required to forfeit all of the stolen goods, and he could be sentenced to more than 20 years in jail if convicted.

Article Link: Security Researcher Allegedly Exploited Internal Apple Tool to Steal Millions
 
Article Link
https://www.macrumors.com/2024/02/07/security-researcher-apple-theft/
  • Like
  • Wow
Reactions: ronntaylor, JapanApple and Jumpthesnark
Apple_Robert said:
If found guilty, I hope he has to serve the max sentence allowed. What a scum bag.
Click to expand...
Steve Jobs and Steve Wozniak sold blue boxes that hacked the telephone companies to allow people to make free, illegal long distance calls.

And then of course Steve Jobs was involved in the unreported backdating stock options scandal in which he tried to make off with $20 million that would have gone unreported to the IRS if Apple hadn't finally come clean. They admitted to fraudulently concocting a board meeting that never happened during which the stock options were supposedly signed off on.

This is a cut-throat company that has dealt in treachery as a business model from the beginning. I don't lose sleep over them being the victim of the same deceit they practice.
 
  • Like
  • Haha
  • Disagree
Reactions: SushiGuy, mentaluproar, 63W and 36 others
MacRumors said:
A security researcher who reported bugs to Apple was arrested in January for defrauding the company out of millions of dollars, according to a report from 404 Media.


In 2019, Frazee and his accomplice used a password reset tool to gain access to an employee account that belonged to an unnamed "Company B," which does customer support for Apple. That account led to access to additional employee credentials, and Frazee accessed Company B's VPN servers. From there, Frazee was able to get into Apple's systems, placing fraudulent orders for Apple products.

He used Apple's "Toolbox" program that could be used to edit orders after they were placed, and he changed order values to zero, added products to orders, and extended AppleCare contracts. He abused Apple's program from January to March 2019.
Click to expand...
say what you want apple. But any company that gets its worker's accounts broken in is a terrible thing.
 
Last edited:
  • Like
Reactions: Nica and Chuckeee
Keymaster said:
It's too bad Apple didn't say "Thanks for showing us the bugs in our system that allowed embezzling millions of dollars in products", it would have been an update note for the ages.
Click to expand...
Geeze, read the article. The guy didn’t use bugs he found, he used an existing corporate tool for resetting passwords. Good Lord, some people just can’t get anything right.
 
  • Disagree
  • Like
Reactions: MikB, ProfessionalFan, djc6 and 3 others
swingerofbirch said:
Steve Jobs and Steve Wozniak sold blue boxes that hacked the telephone companies to allow people to make free, illegal long distance calls.

And then of course Steve Jobs was involved in the unreported backdating stock options scandal in which he tried to make off with $20 million that would have gone unreported to the IRS if Apple hadn't finally come clean. They admitted to fraudulently concocting a board meeting that never happened during which the stock options were supposedly signed off on.

This is a cut-throat company that has dealt in treachery as a business model from the beginning. I don't lose sleep over them being the victim of the same deceit they practice.
Click to expand...
And yet.. here you are.
 
  • Like
  • Disagree
Reactions: Total Respray, -DMN-, KeithBN and 10 others
I absolutely love the moniker "an unnamed company A, Cupertino, California".

The next time I need a case or cover for my next Apple device, I know what will be printed on the surface.
 
Last edited:
  • Like
Reactions: jacobgkau
Wow! Just imagine where the tech world would be by the time he’s out. We didn’t have any of the today’s famous Apple products except Macs 20 years ago!
 
  • Like
Reactions: Verified Whiskey
When I worked at Apple during covid I had Toolbox and SAP access. In the course of 6 months I ended up giving away probably $20,000 worth of free stuff by making the price $0.00 (It was my job to give stuff away for customer service/ customer relation cases). The amount of stuff given away was watched very closely, so I'm super surprised it hit the millions in this case without getting caught.
 
  • Like
Reactions: amartinez1660, gusmula, Jhonjhon236 and 5 others
"For privacy's sake, let's call it Company A. No, that's too obvious. Let's say, *pple."


jvchappy said:
seems pretty complicated, i wonder how they caught him.
Click to expand...

"That included extending a customer service contract that was associated with one of the defendants and his family for an extra two years without paying."

Probably this. Incredibly stupid, but most criminals are. At least the ones who get caught.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back