In a surprising turn of events, a security researcher, typically lauded for aiding Apple in identifying software vulnerabilities, allegedly exploited a significant security flaw to defraud the company of $2.5 million.
Noah Roskin-Frazee, employed at ZeroClicks Lab, had previously received acknowledgment from Apple for his contributions in identifying software issues. However, he now faces scrutiny for capitalizing on a vulnerability in Apple’s system known as Toolbox to execute a sizable scam, as reported by 404 media. Here’s the sequence of events: Noah and his associate, Keith, purportedly discovered a means to infiltrate Toolbox, where Apple manages pending orders. They achieved this by deceiving a third-party company assisting Apple with customer service, thereby gaining entry into Apple’s system.
“During the scheme, the defendant and accomplices sought to unlawfully acquire over $3 million worth of Company A [Apple] products and services through over two dozen fraudulent orders,” as stated in the indictment. The defendants managed to obtain approximately $2.5 million in electronic gift cards and over $100,000 worth of “products and services,” the indictment further reveals. According to the report, a significant portion of these gift cards and products was subsequently sold to third parties.
Once inside the system, they began tampering with orders, adjusting prices to zero and adding additional items without payment. Additionally, they acquired gift cards without any financial expenditure, which they could either utilize personally or sell for profit. Intriguingly, despite their attempts to conceal their identities using fake credentials, one of them allegedly utilized the system to extend their AppleCare coverage for themselves and their family.
This incident is significant not only due to the financial loss suffered by Apple but also because it undermines trust. Individuals like Noah are entrusted with safeguarding Apple’s systems, not exploiting them for personal gain.
As investigations progress, the involved parties await the outcome of the ongoing developments.
