Cybersecurity expert who discovered vulnerabilities in Apple was accused of hacking the company

A researcher who regularly informed Apple about identified vulnerabilities is now accused of infiltrating a system related to Apple’s backend. He was charged with accessing more than $2.5 million in gift cards and merchandise.

The defendant, Noah Roskin-Frazee, was arrested in early January 2024. It is interesting to note that just two weeks after his arrest, Apple expressed gratitude to the researcher for identifying several vulnerabilities.

According to court documents, “In the course of the fraudulent scheme, defendant and his co-conspirators attempted to fraudulently obtain more than $3 million in Company Apple products and services through more than two dozen fraudulent orders.”

Through the completed orders, the defendants allegedly received approximately $2.5 million in gift cards and more than $100,000 in “products and services.” Authorities say many of those gift cards and merchandise were eventually resold to third parties. For example, six laptops were sold on SellShark.com, a third-party electronics seller.

While court documents do not reveal the names of the companies affected (they are referred to as “Company A” and “Company B”), all signs point to Apple and its contractor being the target of the attack. For example, we know that “Company A” is headquartered in Cupertino, California.

Additionally, the documents mention that one of the defendants used gift cards to “purchase FinalCut Pro from Company A’s app store.” FinalCut Pro is a video editing software that costs $299.99. The only way to officially purchase it online is through the Apple App Store.

Noah Roskin-Frazee bills himself as a cybersecurity researcher and has been repeatedly commended by Apple for reporting vulnerabilities. For example, his name is mentioned in vulnerability reports for macOS Ventura and macOS Sonoma.

In one of these reports, published on January 22, 2024, Apple credits Noah Roskin-Frazee and Professor J (of ZeroClicks.ai Lab) for their assistance. 404 Media notes that ZeroClicks Lab is a security research company and does mention Roskin-Frazee on its website.

According to the charges, the fraudulent scheme in which Roskin-Frazee was involved operated from December 2018 to March 2019. The defendants allegedly used a password reset tool to log into the account of an employee of Company B, based in Fremont, California. This company provided “solutions and services to Company A [Apple] customers.”

The defendants then allegedly gained access to the credentials of other employees and used them to log into Company B’s VPN servers. This access, they alleged, allowed them to penetrate Apple’s systems and place fraudulent orders for products and services. They were also accused of installing malicious scripts on Company B’s systems, one of which continued to run on the company’s systems for a long time.

The defendants are alleged to have abused the Apple Toolbox program, which allowed them to edit orders. It is alleged that they remotely accessed computers in India and Costa Rica, where they changed the cost of orders to zero, added free items to existing orders (including phones and laptops), and extended the terms of existing AppleCare service contracts.

For example, insurance associated with one of the defendants and his family was extended free of charge for two years (this appears to be what ultimately helped uncover the fraudulent scheme). It is also reported that the defendants created accounts with delivery services under fictitious names and used disposable email addresses.

Apple and Roskin-Frazee’s lawyers did not comment on the situation and did not respond to requests from reporters.

Cybersecurity expert who discovered vulnerabilities in Apple was accused of hacking the company A researcher who regularly informed Apple about identified vulnerabilities is now accused of infiltrating a system related to Apple’s backend.
5 1 5 1
0 / 5

Your page rank:


Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment