Ego, curiosity, potential bug bounty & this was a low hanging fruit: I was just watching API request in Devtools while using ChatGPT. It took 10 minutes to spot it, and a week of trying to reach a human being. Iterating on the proof-of-concept code to increase potency is also a nice hobby.

These kinds of vulnerabilities give you good idea if there could be more to find, and if their bug bounty program actually is worth interacting with.

With this code smell I'm confident there's much more to find, and for a Microsoft company they're apparently not leveraging any of their security experts to monitor their traffic.