“Distracted from Distraction by Distraction” - T.S. Eliot
TLDR; Found a simple logic bug when paying my annual Google Fiber bill (Webpass).
I initially added a $50 payment to my Google Fiber (WebPass) annual subscription, and then switched from annual to monthly billing, and saw that $550 (the annual amount) was credited to the account, and $60 was billed to the account for the new subscription.
I then replayed the same API operation that was initially called to change the subscription about six more times and saw that each time I called it $550 was credited to the account, and $60 was billed to the account.
At this point there was $2,450 credited to the account, and it showed that the previously invoiced amount had been paid. It would have been fun to call that API operation 100+ more times to see what would happen 😅, but I just reported it instead.
It was covered under the Google VRP because Webpass is a 2016 Google Fiber acquisition. A few days later someone took the credits out of my account which reset my account balance back to $0.
Thanks to the Google VRP team. 👋
Disclosure timeline stuff:
- Nov 2019: Reported the plan_changes bug to the Google VRP
- Jan 2020: Reported an authorization bug in some API operations that allowed customer subscriptions to be changed.