Spending 25 yuan on ChatGPT Plus Reveals the Full Gray‑Market Resale Chain

Background

Recent price hikes for Claude’s subscription have driven users to look for cheaper alternatives. The author notes that a Claude Code module that cost a few dollars disappeared from the bill, prompting curiosity about low‑cost ChatGPT Plus accounts.

Cheap Plus source

Resellers obtain legitimate ChatGPT Plus subscriptions through Turkish Apple IDs. The Turkish price is 499 TRY, roughly 85 CNY, which they pay with a normal Apple purchase and receive a genuine in‑app purchase receipt. This step is fully legal and costs about 85 CNY per receipt.

Exploiting the receipt validation

The normal flow is: the user pays on the phone → Apple issues a Base64‑encoded receipt → the ChatGPT app sends the receipt together with the user’s OpenAI token to OpenAI’s servers → OpenAI verifies the receipt with Apple and upgrades the account. OpenAI’s backend only checks that the receipt is genuine, signed by Apple, and paid; it does **not** verify whether the receipt has already been used or whether the Apple ID matches the OpenAI account.

Intercepting and reusing receipts

Resellers place a proxy (Charles or mitmproxy) between the app and the server, capture the request at the moment the receipt is about to be sent, and store the Base64 receipt locally without binding it to any account. The captured receipt can then be paired with any buyer’s OpenAI token and submitted to the subscription endpoint. After verification, the buyer’s account is upgraded to Plus. Even if the buyer later changes the password (invalidating the token), the reseller retains the receipt and can reuse it for the next buyer.

Reseller profitability

A single 85 CNY receipt can be sold for 25 CNY. After four sales the reseller breaks even; the fifth sale and beyond generate pure profit. Some shops reportedly process over 60 orders per day, yielding daily revenue exceeding 1,000 CNY, with the only cost being the original receipt and minimal scripting time.

Prior security reports

The vulnerability was not secret. An OpenAI community member had previously filed a security report explicitly stating that “Apple Pay receipt validation does not bind to the purchaser’s Apple ID, creating a subscription‑bypass risk.”

https://community.openai.com/t/security-report-apple-pay-receipt-validation-does-not-bind-to-purchaser-apple-id-potential-subscription-bypass/1379167

Why OpenAI delayed fixing

Speculation suggests two reasons: (1) individual Plus subscriptions represent relatively low revenue, making the fix low priority; (2) OpenAI may prefer to keep users on the service to collect training data and compete with rivals, postponing stricter enforcement until user habits are established.

Later mitigation

Around May of this year OpenAI began retroactively scanning for repeated transaction_id values. Records of reused receipts are identified and revoked in batches, indicating that the loophole is being closed.

Risks for buyers

Purchasing through this gray market requires handing over the account’s auth token or password to a stranger. While changing the password invalidates the token, the reseller’s scripts and proxy tools—often sourced from unknown channels—may have already copied additional data. Compromised accounts can lose Claude Code chat history, custom GPTs, and stored prompts, making the cheap upgrade potentially costly.

Conclusion and advice

The author suggests three practical approaches: (1) share a Plus account among trusted friends, splitting the monthly cost; (2) create a personal Turkish Apple ID and purchase directly, suitable for those willing to handle the registration process; (3) buy the official subscription, which, at about 160 CNY per month, provides the safest and most reliable experience for developers.