OpenAI would provide some free credits to a user once they verify their phone number, and then to prevent abuse, ensure phone numbers are unique. Its a sane plan, but Checkmarx did find a way to bypass this. Their first bypass was just to modify the request to add the country code to the number, and it worked. This expanded to just prepending 0s to the number to verify the same number multiple times.

They took this further with some fuzzing using RECollapse to look for normalization issues, and found that one could include unicode-encoded non-ascii characters in the phone number. These would be sufficent to bypass the uniquness check, but then later when sending the verification text the number it would get normalized and send without issues.