These students discovered a security bug that could let millions of us do laundry for free

A digital padlock on a blue digital background.
(Image credit: Shutterstock / vs148)

Two students found a way to do their laundry for free, after discovering a bug in the app that accompanies the laundry machines at their college campus.

Since they were honest people, they reported their findings in good faith. However, it seems that the company making the app didn’t really bother to reply to their messages or, even worse, address the issue for months. 

Reporting on the findings, TechCrunch says the bug is still present and that free laundry is still possible.

Bugged API 

Apparently, more than three months ago, UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko discovered that the app for internet-connected laundry machines built by CSC ServiceWorks came with numerous flaws. The app, among other things, allows users to top up their accounts and use the funds to purchase laundry washing. 

First, anyone could register an account with any fake email address - the app didn’t bother checking if the owner of the account also owned the associated email address (which is standard practice these days).

Then, they found that the API used by the CSC Go mobile app was flawed in a way that allowed the users to trick CSC servers into accepting commands that change the account balance. One of the users topped up their account by more than a million dollars, to prove their point. 

After discovering the flaws, the two students allegedly tried reaching out to the company in different ways, but failed to ultimately share their findings with anyone. After that, they contacted the media. 

“I just don’t get how a company that large makes those types of mistakes, then has no way of contacting them,” Taranenko said. “Worst-case scenario, people can easily load up their wallets and the company loses a ton of money. Why not spend a bare minimum of having a single monitored security email inbox for this type of situation?”

The company did wipe the students’ balance, but apparently the bug can still be abused.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.