In a surprising twist, a security researcher who is usually praised for helping Apple detect software problems reportedly exploited a massive security hole to scam the company out of $2.5 million.
Noah Roskin-Frazee, who worked at ZeroClick’s lab, was previously thanked by Apple for helping find problems with their software. But now, according to a report by 404 Media, he has been accused of using a loophole in Apple’s system called Toolbox to carry out a major hack.
Here’s how it happened: Noah and his friend Keith reportedly found a way to break into the toolbox, where Apple manages orders placed on hold. They did this by impersonating a different company that helps Apple with customer service and then using that access to enter Apple’s systems.
“During the course of the scheme, defendants and co-conspirators attempted to fraudulently obtain more than $3 million in Company A [Apple] products and services through more than two dozen fraudulent orders,” the indictment states. It says that for orders that were fulfilled, the defendants received approximately $2.5 million in electronic gift cards and more than $100,000 in “products and services.” “The indictment states that many of these gift cards and products were then sold to third parties,” the report noted.
Once they were inside, they started messing with the orders. They reduced the prices to zero and added extra items without paying. They even got gift cards without spending any money, which they could either use themselves or sell for a profit.
The weirdest part? Even though they were trying to cover their tracks by using fake names and addresses, one of them apparently used the system to extend his AppleCare contract for himself and his family.
This whole situation is a huge deal because it’s not just about the money Apple lost. It’s also about trust. People like Noah are expected to help keep Apple’s systems secure, not exploit them for personal gain.
