I didn’t run exploits.

I didn’t touch the backend.

I simply used the product the way any unpredictable, real-world user might.

And that alone was enough to expose multiple business-logic failures:

• A single phone number can create multiple accounts with no meaningful validation.

• Payment and billing flows can be bypassed through normal UI interactions.

• Critical checks appear to exist only on the frontend.

• The system collapses the moment a user steps even slightly outside the “intended flow.”

No hacking tools.

No brute force.

Just standard user behavior performed consistently.

The concerning part?

It was dismissed as “not a security issue.”

But any security professional knows this is exactly how social-engineering and business-logic attacks begin:

• Exploiting trust in user behavior

• Exploiting assumptions in workflow design

• Exploiting gaps between frontend intent and backend enforcement

• Exploiting predictable validation weaknesses

If a system can be destabilized without malicious code only by interacting with it normally that’s not a harmless UI bug.

That is a social-engineering vector

and a structural security weakness.

Whether or not it fits a checkbox definition of “security issue,”

it absolutely qualifies as a risk.

And risks don’t disappear just because someone labels them “out of scope.”