I recently noticed some strange behavior in a pay-as you go mobile hotspot service when I was adding money to my account via phone.
I forgot my pin so I guessed. I was wrong. I guessed again, and it let me through and accepted my payment information (amount, card number, expiration date, security code on back of card).
My service didn't resume, so I called again to check my balance. The pin the worked for the credit card menu didn't work for the balance inquiry menu or the general account info menu. It also didn't work when I tried to use it to log into their website.
I found the screen accepted the second entry, no matter what. In testing this theory, I got the menu to put me through using pins like 1111, 2222, 3333, and 0000. I recreated this several times to 2 separate witnesses.
The logic in pseudo-code, would be something like this:
pin = "someBullshit";
input = user.getInput();
if(input == pin) {
// let them do thier thing ...
} else {
secondInput = user.getInput();
if(secondInput) { // exists at all
// let them do their thing???
}
}
I did have a few suspicious charges on my account a few months ago, and didn't notice until now it corresponded with me starting the service
I was considering asking to speak to a manager or reporting this through a bug bounty system, but wanted to get some advice from more experienced people first.
I am a grad student so being able to make a few bucks would be killer, but I am more concerned about preventing people from being predated.
While the company is not on hackerone, their parent company is.
My question: should I try to go through customer service to report the issue, or should I use hackerone's request disclosure information to find a channel to go through?
