{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreigg4rlrvo3frsoon4hsop225gb5ky5zml4qsnncmnemv5va67key4",
"uri": "at://did:plc:lk3jfj3zq4k4wxnk474axylu/app.bsky.feed.post/3mjom3fmgk3s2"
},
"path": "/t/security-report-apple-pay-receipt-validation-does-not-bind-to-purchaser-apple-id-potential-subscription-bypass/1379167#post_1",
"publishedAt": "2026-04-17T09:06:24.000Z",
"site": "https://community.openai.com",
"textContent": "**Disclaimer** : This report is for technical research and responsible disclosure purposes only. I do not endorse or encourage any unauthorized use, account sharing, or commercial exploitation of this finding. All testing was conducted on accounts I own or with explicit permission.\n\n## Summary\n\nI identified a logical vulnerability in the iOS ChatGPT app’s subscription verification flow: **OpenAI’s backend validates the cryptographic authenticity of an Apple Pay receipt, but does not verify whether the Apple ID that purchased the receipt matches the OpenAI account receiving the Plus upgrade**.\n\nThis allows a valid, paid receipt to be reused to activate ChatGPT Plus on _any_ OpenAI account, regardless of the original purchaser’s identity.\n\n## Technical Background: Expected Flow\n\n 1. User initiates purchase in ChatGPT iOS app → App Store charges the Apple ID.\n 2. Apple generates a signed receipt (`transactionReceipt`) and stores it locally on the device.\n 3. ChatGPT app sends the receipt + current user’s `auth token` to OpenAI backend.\n 4. OpenAI verifies:\nReceipt signature is valid (via Apple’s verification endpoint)\n`auth token` belongs to an active account\n**Does NOT verify** : Is the Apple ID in the receipt the same as the one linked to this OpenAI account?\n\n\n\n## Vulnerability Detail\n\nBecause the binding check is missing, the authorization logic reduces to:\n`valid_receipt + valid_auth_token = Plus granted`\n\nThis is analogous to presenting a genuine store receipt at a service counter—the clerk verifies the receipt is real, but does not check your ID.\n\n## Reproduction Outline (High-Level)\n\n_(Note: Detailed exploitation steps omitted for responsible disclosure. Available upon request via secure channel.)_\n\n 1. **Obtain a valid iOS receipt**\n\n * Purchase ChatGPT Plus via a low-region Apple ID (e.g., Turkey: ~499 TRY/month).\n * Intercept the receipt before the app auto-submits it (via local proxy, DNS redirection, or runtime hooking on jailbroken devices).\n 2. **Reuse the receipt via API**\n\n * Send a crafted request to OpenAI’s subscription endpoint:\n\n POST https://chat.openai.com/backend-api/subscription/upgrade\n Authorization: Bearer <target_account_auth_token>\n Content-Type: application/json\n\n {\n \"receipt\": \"<base64_encoded_valid_receipt>\",\n \"platform\": \"ios\",\n \"product_id\": \"com.openai.chatgpt.plus\",\n \"device_info\": { ... }\n }\n\n\n * Result: Target account receives Plus status, even though the receipt was purchased by a different Apple ID.\n\n 3. **Impact Amplification**\n\n * One paid receipt (~$2.5–3 USD equivalent in Turkey) can activate Plus on unlimited accounts.\n * This enables commercial “Plus reselling” at fractions of the official price, causing revenue leakage and unfair system abuse.\n\n\n\n## Affected Components\n\n * ChatGPT iOS app (all versions tested: v1.2026.xx)\n * Backend endpoint: `/backend-api/subscription/upgrade`\n * Verification logic for iOS in-app purchase receipts\n\n\n\n## Suggested Mitigations\n\n 1. **Bind receipt to purchaser identity** : During receipt validation, extract the `original_purchase_date`, `transaction_id`, and critically, the `app_item_id` / `bundle_id` + verify the Apple ID’s cryptographic signature matches the submitting session.\n 2. **Implement receipt single-use enforcement** : Mark receipts as “consumed” after first successful activation.\n 3. **Add device/account fingerprinting** : Correlate Apple ID, device identifier (IDFV), and OpenAI account at subscription time.\n 4. **Monitor for receipt reuse** : Alert on identical `transaction_id` or `original_transaction_id` appearing across multiple OpenAI accounts.\n\n\n\noriginal url: linux.do/t/topic/1981747\n\noriginal Text: (本文仅供技术交流。任何实际操作产生的账号封禁、法律风险,自行承担)\n\n原理:OpenAI 不查 Apple ID 对应关系,拿张收据就能给任意号开会员 正常流程是这么走的: 你 iPhone 上点付款 → App Store 扣钱 → Apple 把收据扔到你手机本地 → ChatGPT App 捡起收据 → App 把收据和你当前登录的账号 token 一起打包发给 OpenAI → OpenAI 验一下收据真假 → 给你账号开 Plus。 挺严谨对吧? 屁。 漏洞就藏在 OpenAI 验票那一步。 OpenAI 验票的时候,根本不看这张收据是你 Apple ID 买的,还是隔壁老王 Apple ID 买的。它只看两样东西:**收据合法不合法,以及你传过来的那个 ChatGPT auth token 是不是活的。** 收据合法 + token 有效 = 任意账号变 Plus。 什么 Apple ID 绑定、什么账号对应关系,全不查。这就好比你拿着别人的购物小票去柜台领东西,柜员只看小票真假,不看你身份证。 三端订阅管理都是交给第三方 API 处理的,iOS 系统框架允许 App 把内购凭据往第三方服务器发,这本是正常开发逻辑。但 OpenAI 在这条链路上偷了懒------或者说,压根没想过有人会卡这个环节。 既然漏洞摆在这儿,流程就简单了。 第一步:搞一个土耳其区 Apple ID。 土耳其区 Plus 标价 499 里拉一个月,折人民币大概八十五块。国内定价多少?一百四五。差价自己算。 往这个土区 Apple ID 里充好礼品卡,钱备足。 第二步:拦截收据。 在你 iPhone 上打开 ChatGPT App,别登录你想开 Plus 的目标账号,随便登个临时号或者干脆不登。 内购付款之前,配置网络拦截------核心操作就是阻止 ChatGPT App 把收据发给 OpenAI 服务器。 App Store 那边照常扣钱,Apple 照常把收据扔到你手机本地沙盒目录里。但因为你的拦截,这张收据没自动飞向 OpenAI,而是老老实实待在本地等你来拿。 第三步:导出收据。 导出收据通常需越狱设备或利用系统漏洞。\n\n**实际主流玩法有三种:**\n\n * 方法 A,端点本地映射。用 DNS 劫持或本地代理,把 ChatGPT App 发往 OpenAI 的请求重定向到你自己的本地服务器。请求里本来就带着 Base64 编码的收据,到了你本地,直接保存下来。工具就那些:mitmproxy、Charles Proxy、自建 HTTPS 代理加一张自签证书。不用越狱,门槛低得令人发指。 方法\n\n * B,越狱加 Hook。越狱设备上用 Frida 或者 Flex,直接 hook StoreKit 框架,截下 SKPaymentTransaction 的 transactionReceipt,或者读 appStoreReceiptURL 拿收据文件。粗暴直接。 方法\n\n * C,安卓路径用 Xposed Hook,逻辑类似。 第四步:API 补单。 收据到手,直接往 OpenAI 的订阅接口发请求\n\n\n\n\n注意,这里的 auth token是目标用户给你的登录令牌,权限有限,有效期短。你给他充完 Plus,他立刻改密码,你拿着这张收据去充下一个。 一张土耳其收据八十五块人民币成本,能给无数个账号开 Plus。闲鱼上那些二三十块钱一个月的 GPT Plus 代充,就是这么来的。你以为人家做慈善?人家是拿一张票反复上车。 OpenAI 至今没补这个窟窿。不是补不了,是优先级不够,或者说,他们根本不在乎这点订阅收入的漏洞。毕竟大头在企业 API 那边。 这套流程,技术含量不高,但信息差极高。外面那些收费几千教人\"GPT 代充技术\"的,教的就是这几步。我今天直接摊开写,省得你们再去交智商税。",
"title": "[Security Report] Apple Pay receipt validation does not bind to purchaser Apple ID – potential subscription bypass"
}