Just discovered something truly wild — a UI-only logic flaw in a major product that let a paid subscription activate without any payment, and no API calls or dev tools involved.

Literally everything happened through the normal user interface — no backend tampering, no network interception, no code injection.

The craziest part? It’s a once-in-a-lifetime kind of bug — something that probably no one could find by traditional testing or bug bounty scanning, because it happens purely from how the frontend and backend miscommunicated under certain workflow logic.