Security Researcher Allegedly Exploited Internal Apple Tool to Steal Millions

by

A security researcher who reported bugs to Apple was arrested in January for defrauding the company out of millions of dollars, according to a report from 404 Media.

bug security vulnerability issue fix larry
The researcher, Noah Roskin-Frazee, was accused alongside a co-conspirator obtaining over $3 million in products and services through more than two dozen fraudulent orders. That included around $2.5 million in gift cards and over $100,000 in "products and services."

While Apple is not explicitly named in the court records, an unnamed "Company A" is located in Cupertino, California, and is clearly Apple. The court mentions that one of the perpetrators used gift cards to "purchase Final Cut Pro on Company A's App Store," and Apple is the only company that sells the software.

In 2019, Frazee and his accomplice used a password reset tool to gain access to an employee account that belonged to an unnamed "Company B," which does customer support for Apple. That account led to access to additional employee credentials, and Frazee accessed Company B's VPN servers. From there, Frazee was able to get into Apple's systems, placing fraudulent orders for Apple products.

He used Apple's "Toolbox" program that could be used to edit orders after they were placed, and he changed order values to zero, added products to orders, and extended AppleCare contracts. He abused Apple's program from January to March 2019.

The defendants remoted into computers located in India and Costa Rica as part of the scheme, the indictment adds. The scam itself involved changing order monetary values to zero, adding products to existing orders without cost such as phones and laptops, and extending existing service contracts, the indictment adds. That included extending a customer service contract that was associated with one of the defendants and his family for an extra two years without paying.

Apple thanked Frazee for in a January support document for finding several bugs in macOS Sonoma, and the document was published less than two weeks after he was arrested. "We would like to acknowledge Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab) for their assistance," reads Apple's page in reference to a Wi-Fi vulnerability.

Frazee has been charged with wire fraud, mail fraud, conspiracy to commit wire fraud and mail fraud, conspiracy to commit computer fraud and abuse, and intentional damage to a protected computer. He will be required to forfeit all of the stolen goods, and he could be sentenced to more than 20 years in jail if convicted.

Popular Stories

iOS 18 CarPlay Feature

iOS 18 Adds These 5 New Features to CarPlay

Thursday June 13, 2024 7:44 am PDT by
Apple did not mention CarPlay during its WWDC keynote this week, but iOS 18 includes a handful of new features for the in-car software. Overall, there is not a whole lot new for CarPlay on iOS 18, with changes seemingly limited to the Messages and Settings apps so far. Below, we recap everything new for CarPlay on iOS 18. New for CarPlay on iOS 18 1. Contact Photos in Messages App...
Read Full Article68 comments
ios 18 button bulge

iOS 18 Adds Pop-Out Bezel Animation When Pressing iPhone Buttons

Tuesday June 11, 2024 10:40 am PDT by
iOS 18 includes a small but interesting change for the buttons on the iPhone, adding more of a visual element when changing volume, activating the Action button, or locking the screen. When you press an iPhone button in iOS 18, the display bezel bulges outward slightly. This feature is available for the volume buttons, Action button and the power button, and it will also likely be used for...
Read Full Article103 comments
maxresdefault

First Look at Messages via Satellite in iOS 18

Thursday June 13, 2024 11:29 am PDT by
Apple has been gradually expanding its suite of satellite connectivity features for iPhone, and iOS 18 brings a significant new one in the form of Messages via satellite. The feature allows users to send and receive iMessages and SMS texts, including emoji and Tapbacks, while out of range of cellular and Wi-Fi networks. CNET met up with Apple's senior director of platform product marketing,...
Read Full Article109 comments
iOS 18 Wallet Feature

Here's What's New in Apple Wallet on iOS 18 for Event Tickets and More

Friday June 14, 2024 7:32 am PDT by
iOS 18 includes a handful of enhancements to the Wallet app on the iPhone, with new features for Apple Pay, Apple Cash, event tickets, and more. Below, we outline everything new for the Wallet app on iOS 18, based on information from Apple's press release and a WWDC 2024 coding session. Redesigned Event Tickets Event tickets have an all-new design in the Wallet app on iOS 18, complete...
Read Full Article19 comments

Top Rated Comments

swingerofbirch Avatar
swingerofbirch
18 weeks ago

If found guilty, I hope he has to serve the max sentence allowed. What a scum bag.
Steve Jobs and Steve Wozniak sold blue boxes that hacked the telephone companies to allow people to make free, illegal long distance calls.

And then of course Steve Jobs was involved in the unreported backdating stock options scandal in which he tried to make off with $20 million that would have gone unreported to the IRS if Apple hadn't finally come clean. They admitted to fraudulently concocting a board meeting that never happened during which the stock options were supposedly signed off on.

This is a cut-throat company that has dealt in treachery as a business model from the beginning. I don't lose sleep over them being the victim of the same deceit they practice.
Score: 37 Votes (Like | Disagree)
antiprotest Avatar
antiprotest
18 weeks ago
He should get $10,000 reduced from his sentence as a bounty for finding the security issue.
Score: 21 Votes (Like | Disagree)
Apple_Robert Avatar
Apple_Robert
18 weeks ago
If found guilty, I hope he has to serve the max sentence allowed. What a scum bag.
Score: 11 Votes (Like | Disagree)
japanime Avatar
japanime
18 weeks ago

Whoever could company “a” be? Hint hint.
I'm more interested in finding out who "Company B" is. Would be nice to know to whom (and where) Apple is outsourcing its support.
Score: 8 Votes (Like | Disagree)
MacTwick Avatar
MacTwick
18 weeks ago
When I worked at Apple during covid I had Toolbox and SAP access. In the course of 6 months I ended up giving away probably $20,000 worth of free stuff by making the price $0.00 (It was my job to give stuff away for customer service/ customer relation cases). The amount of stuff given away was watched very closely, so I'm super surprised it hit the millions in this case without getting caught.
Score: 8 Votes (Like | Disagree)
xizdun Avatar
xizdun
18 weeks ago

perpetrators used gift cards to "purchase Final Cut Pro on Company A's App Store ('https://www.macrumors.com/guide/app-store/')," and Apple is the only company that sells the software.
looool. That cracked me up. Prosecutors doing a search-and-replace for "Apple" and "Company A". ??
Score: 6 Votes (Like | Disagree)
Read All Comments