Bug Writeup: Cloudflare (R2 Payment Bypass)

TLDR; free R2 if you... click fast enough?!?

What was the issue?

I discovered that if you clicked Add R2 subscription to my account fast enough - before the Payment field loads - it would bypass R2's requirement to add a payment method to your account to prevent abuse. It also allowed you to bypass this by just sending an API request to the R2 signup endpoint.

What did it allow?

This allowed anyone to bypass payment method validation when creating R2 resources, and opens up the possibility of abuse.

Screenshots