On June 2, a researcher (forum username checkoutxixi) publicly posted a detailed report in the OpenAI Developer Community describing a commercialized ChatGPT subscription abuse supply chain, covering four main types: 1) Simulating the Apple client protocol to forge Apple ID information, bulk subscribing to Plus/Pro in low-price regions such as Turkey (approx. ₺499.99) or the Philippines (approx. ₱491.07, stacking the promo code plus-1-month-50-pct-off), then reselling at a markup, while isolating the ChatGPT account from the actual payment Apple ID to avoid ban risks; 2) Exploiting a vulnerability where fields such as billing_details.country / billing_details.currency may be modifiable on the client side to perform cross-region bulk subscriptions; 3) Bulk registering ChatGPT Free accounts, extracting Session/Token, and routing them through reverse proxy tools such as sub2api and cliproxyapi into a proxy pool, then selling them externally disguised as a “GPT-5.5” API service; 4) Scanning Business promo codes to activate accounts at zero cost, and allegedly exploiting the lack of server-side upper-limit validation for seats to expand a single Business organization’s membership to 1,602 people before reselling the seats. OpenAI community moderator Avinash has publicly responded, stating that the feedback will be forwarded to the appropriate team for evaluation and handling.
The reporter stated that these vulnerabilities have been successfully reproduced, and the Apple-side vulnerabilities have been separately reported to Apple, but as of June 2, no confirmation of a fix had been received. Regarding the abuse of Free accounts, even though OpenAI has added phone number verification, some merchants still claim they can bypass it to continue bulk registration. The reporter said they hold multiple pieces of evidence, including script samples, billing_details request fragments, screenshots of the Business management page, and records of GPT-5.5 disguised sales on secondary markets. Since the forum is a public space, the detailed content has not been uploaded yet, and the reporter stated that more reports will be submitted in batches later.