I have no idea where to report the issue to (Microsoft store? Minecraft support? Microsoft Windows support?), and having dealt with Microsoft support in a professional capacity I know that even if I do figure out where to report it that they will waste weeks of my time asking me to explain the issue and then claim it's working as designed without understanding the problem at all.
That's been a thing for a long time. I hit it when trying to share games with child accounts. IIRC, the high level process was:
- Set up child computer with a child account.
- Add parent account as family member on child computer.
- Set up a PIN for the parent account on the child computer.
- On the child OS account, open the Windows Store and log in as the parent.
- Log back in to the Windows Store using the child account.
When I ran into the issue, I could buy anything I wanted with the child PIN and it bypassed all restrictions.
I was so surprised by the way it worked that I spent an entire afternoon testing it. I got a prepaid credit card, set up fresh MS accounts for the parent + child, set up a clean OS install, and recorded everything using VirtualBox by using the on-screen keyboard to show the PINs.
At the time there was a bug in VirtualBox's video recording that caused it to record random garbage and I got so frustrated that I set it aside and never went back to it.
It seems like an auth bypass issue to me and it's been a problem for over 7 years. It's been around so long it's even made it's way from an unofficial blog into official MS docs [1]:
> As of Dec 25 2015, there seems to be a bug in the Windows Store sign in process as it may ask for your PIN code but it actually wants your family member’s PIN code. That is, at least at the time of this writing, use the PIN of the signed in family member even though it asks for your PIN!
1. https://learn.microsoft.com/en-us/archive/blogs/henrikn/shar...