This last month I had an issue with my current bank that left my account compromised. As a result my account was closed and all transactions were frozen/declined. This unfortunately meant that the payment I had just made to PG&E, my local gas provider, was going to be declined. Well if you have a payment fail when using your bank account PG&E will try to block you from submitting payments using your bank account for at least 30 days. The keyword there is try.

As a software QA engineer who primarily tests web applications I couldn't help but check if the PG&E website did what far too many developers do; disable a button using CSS styling but leave the button fully functional otherwise. Unfortunately for them that is exactly what they did. In less time than it took to call their customer support I was able to exploit their website to submit the payment using my new account details.

It was as simple as locating the hidden button.

Removing the "display: none;" styling.

Continuing with the normal payment process.

While your average consumer isn't likely going to go to these lengths to find these types of flaws in your website you should know that tinkerers exist. Security by obscurity is by far the weakest form of security. Take the extra time to remove UI elements instead of hiding them, or at the very least disable the event listeners/urls associated to the button when you hide it.