These students discovered a security bug that could let millions of us do laundry for free
published 20 May 2024
Laundry app’s balance can be easily topped up
Two students found a way to do their laundry for free, after discovering a bug in the app that accompanies the laundry machines at their college campus.
Since they were honest people, they reported their findings in good faith. However, it seems that the company making the app didn’t really bother to reply to their messages or, even worse, address the issue for months.
Reporting on the findings, TechCrunch says the bug is still present and that free laundry is still possible.
Bugged API
Apparently, more than three months ago, UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko discovered that the app for internet-connected laundry machines built by CSC ServiceWorks came with numerous flaws. The app, among other things, allows users to top up their accounts and use the funds to purchase laundry washing.
First, anyone could register an account with any fake email address – the app didn’t bother checking if the owner of the account also owned the associated email address (which is standard practice these days).
Then, they found that the API used by the CSC Go mobile app was flawed in a way that allowed the users to trick CSC servers into accepting commands that change the account balance. One of the users topped up their account by more than a million dollars, to prove their point.
After discovering the flaws, the two students allegedly tried reaching out to the company in different ways, but failed to ultimately share their findings with anyone. After that, they contacted the media.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“I just don’t get how a company that large makes those types of mistakes, then has no way of contacting them,” Taranenko said. “Worst-case scenario, people can easily load up their wallets and the company loses a ton of money. Why not spend a bare minimum of having a single monitored security email inbox for this type of situation?”
The company did wipe the students’ balance, but apparently the bug can still be abused.
More from TechRadar Pro
- Microsoft wants to take any MFA and 2FA worries out of your hands
- Here’s a list of the best firewalls today
- These are the best endpoint protection tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Millions of customers affected by WebTPA data breach
This wide-ranging trojan has returned from the dead — Grandoreiro malware revives following police action
Acer’s first AI-powered laptop features the duo of Qualcomm’s Snapdragon chips and Microsoft Copilot+
Most Popular
-
1Santander confirms data breach affecting customers across the world
-
2I tried Samsung’s best OLED TV with its flagship Dolby Atmos soundbar, and the audio combo is out of this world
-
3Cambridge Audio Melomania M100 review: the best earbuds prompts in the business with excellent ANC too
-
4Independent auditors confirm top VPN’s privacy claims
-
5Scientists create memory technology capable of withstanding temperatures of up to 1,100°
-
1I tried Samsung’s best OLED TV with its flagship Dolby Atmos soundbar, and the audio combo is out of this world
-
2Pilates instructor recommends these 5 moves to undo the damage of sitting at a desk all day
-
3Visa launches VAAI Score AI tool in a bid to combat enumeration attacks
-
410 million iSIM set to arrive by 2026, possibly spelling the end of SIM cards
-
5Rural matters: Putting the countryside at the heart of Vodafone’s mission