Security researchers allegedly exploited Apple's internal sales system to steal millions of dollars

According to 404Media, a security researcher who reported vulnerabilities to Apple was arrested in January for defrauding Apple of millions of dollars. Researcher Noah Roskin-Frazee is accused of working with a co-conspirator to obtain more than $3 million in products and services through more than two dozen fraudulent orders. That includes about $2.5 million in gift cards and more than $100,000 in "products and services."

While Apple is not explicitly named in the court records, an unnamed "Company A" located in Cupertino, California, is apparently Apple. The court mentioned that one of the criminals used a gift card to "purchase FinalCut Pro in Company A's AppStore," and Apple was the only company selling the software.

In 2019, Frazee and his associates used a password reset tool to access an employee account belonging to an unnamed "Company B," which provides customer support to Apple. Through this account, Frazee obtained additional employee credentials and gained access to Company B’s VPN server. From there, Frazee entered Apple's systems and placed fraudulent orders for Apple products.

He used Apple's "Toolbox" program, which can be used to edit orders after they are placed, and he changed the order value to zero, added products to the order, and extended the AppleCare contract. He abused Apple's programs between January and March 2019.

The indictment also says the defendants remotely controlled computers located in India and Costa Rica as part of the scam. The indictment also says the scam itself involved changing the monetary value of orders to zero, adding products (such as cell phones and laptops) to existing orders for free and extending existing service contracts. These include extending a customer service contract involving one of the defendants and his family for two years without payment.

Apple thanked Frazier for discovering several vulnerabilities in macOS Sonoma in a support document in January, which was released less than two weeks after his arrest. "We would like to thank Noah Ruskin Frazier and Professor J. (ZeroClicks.ai Labs) for their assistance," Apple wrote in reference to a Wi-Fi vulnerability.

Frazee was charged with wire fraud, mail fraud, conspiracy to commit wire fraud and mail fraud, conspiracy to commit computer fraud and abuse, and willful damage to a protected computer. He will be required to confiscate all stolen property and, if convicted, could be sentenced to more than 20 years in prison.