The Complete Account of How a Security Researcher Deceives Apple and Obtains $2.5 Million
A prominent security researcher, who even Apple has acknowledged for exposing vulnerabilities, has allegedly defrauded the tech giant and stolen about $2.5 million worth of products through fraudulent means.
In an ironic twist, Noah Roskin-Frazee, who is affiliated with ZeroClicks Lab, was praised by Apple for his role in identifying the security flaw. Apple expressed its gratitude, stating, “We would like to thank Noah Roskin-Frazee and Professor J. (ZeroClicks.ai Lab) for their assistance.”
But by the time Apple thanked him, the person, 404Media reported, had already been arrested for defrauding Apple of $2.5 million by stealing iPhones, Macs and even gift cards.
How did he manage to pull it off?
Roskin-Frazee had discovered a vulnerability in Apple’s backend system known as Toolbox. Then, in collaboration with another researcher, Keith Latter, they performed an escalation attack against the company’s back-end system. Later they got into the Toolbox after several steps.
They even accessed the employee account of a third-party company that helped Apple with customer support. The duo then placed orders for various Apple products using false identities, manipulating the amount to be paid to zero dollars. This allowed them to get iPhones, laptops and Gift Cards at no cost.
This is certainly a strange case, especially since Apple thanked him two weeks after the arrest. The report also said that one of the two researchers also went on to renew Apple Care subscriptions for himself and his family, revealing their identities.
