Get best of the week

Yandex will automatically link the card to another account

Recently, many services have been trying to remember the details of a bank card when paying, so that the next time it is more convenient for the user to pay, and there is no need to fill in the card data again. I’m almost sure that in all marketing textbooks it is written that in case of a card binding, the probability of purchase increases by 146%. Of the binding methods, there are 3 most basic ones:





  • To offer unobtrusively - to whom it is necessary to put a tick;
  • Actively suggesting - the checkmark next to the binding is the default; whoever forgot to remove it is to blame;
  • Bind without any notification - the service itself knows how the user will feel better.

In all these options, there is one thing in common: the link occurs to the account where the payment is made. Today I want to tell you that Yandex invented the 4th binding option: in some cases, the card can be tied to a (almost) someone else's account.

I want to warn you right away that the problem does not affect all accounts, but some part that Yandex noted in a special way, so it may not be possible to reproduce the problem, however, Yandex technical support says that this behavior is not a bug and was originally conceived.

So, for starters, you will need 2 things: an account on Yandex and a phone number that is confirmed in the account. Next, we need the Yandex.Taxi mobile application - it is special: you can “enter” it if you don’t have an account on Yandex, just by phone number. Recently, any application from Yandex asks you to enter your account: it will be more convenient for the user, and Yandex will be able to receive even more data about the client.

In Yandex.Taxi, everything is different: to use the service, you do not need to log in to your account, just enter the phone number, receive SMS, and you can go. Yandex.Taxi also offers to attach a card for easy payment: there is nothing special about it, all similar services work in a similar way, and some even work only with card payment. But after linking the card, you may encounter the following feature: this card will automatically be linked to the Yandex account for which the phone number from Yandex.Taxi has been confirmed.

So, the list of actions in order:

  1. We take an account on Yandex with an attached phone number;
  2. We open the Yandex.Taxi application, we enter this application only by phone number (without the participation of a Yandex account);
  3. We attach a bank card in Yandex.Taxi;
  4. We see that this bank card was automatically linked to the Yandex account from the first paragraph.



Important features:

  • if you delete the card from Yandex account, then it will be deleted from Yandex.Taxi;
  • if you add a card to your Yandex account, then it will NOT be added to Yandex.Taxi;
  • if you create another Yandex account and confirm the same phone number there, the card will appear only in the first account;
  • It was not possible to reproduce this behavior with a new account and a different phone number (most likely, it takes some time for Yandex to somehow make a strong “link” between the phone number and the account).

On the one hand, we can say that the problem is not very big: if the user has confirmed the phone number in the Yandex account, then it can be used to bind to other accounts, but I see a big problem with this development of events:

  1. Someone registers an account on Yandex and binds a phone number there;
  2. After some time, due to inactivity, the cellular operator blocks the number, after which it is put into free sale;
  3. Someone else buys a SIM card with this number, opens the Yandex.Taxi application, binds the card, and it binds to the Yandex account of a completely stranger.

I decided to talk about such a strange behavior of Yandex.Taxi tech support, but they did not quite understand me and suggested updating the application :-)

Then I turned through the BUG BOUNTY form and the conversation went more productively.

Yandex technical support employee said that the bug I indicated was not a bug at all, but the developers’s idea: accounts are “connected” only at the desired moon phase, and the situation with the re-release of the SIM card and the subsequent binding of the card is completely excluded.
. . , ., . .

- , . ..
I have no reason not to trust the Yandex police , and most likely no one will have the problems described by me, but I decided to talk about this, in my opinion, not very ordinary version of map binding, so that the next logical step from Yandex is not binding cards to all accounts that you’ve ever visited from one device or from an IP address.

More articles:


All Articles