- Reaction score
- 1,732
A pair of university students say they found and reported earlier this year a security flaw allowing anyone to avoid paying for laundry provided by over a million internet-connected laundry machines in residences and college campuses around the world.
Months later, the vulnerability remains open after CSC ServiceWorks repeatedly ignored requests to fix the flaw.
UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko told TechCrunch that the vulnerability they discovered allows anyone to remotely send commands to laundry machines run by CSC and operate laundry cycles for free.
Sherbrooke said he was sitting on the floor of his basement laundry room in the early hours one January morning with his laptop in hand and “suddenly having an ‘oh s—’ moment.” From his laptop, Sherbrooke ran a script of code with instructions telling the machine in front of him to start a cycle despite having $0 in his laundry account. The machine immediately woke up with a loud beep and flashed “PUSH START” on its display, indicating the machine was ready to wash a free load of laundry.
In another case, the students added an ostensible balance of several million dollars into one of their laundry accounts, which reflected in their CSC Go mobile app as though it were an entirely normal amount of money for a student to spend on laundry.
techcrunch.com
Months later, the vulnerability remains open after CSC ServiceWorks repeatedly ignored requests to fix the flaw.
UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko told TechCrunch that the vulnerability they discovered allows anyone to remotely send commands to laundry machines run by CSC and operate laundry cycles for free.
Sherbrooke said he was sitting on the floor of his basement laundry room in the early hours one January morning with his laptop in hand and “suddenly having an ‘oh s—’ moment.” From his laptop, Sherbrooke ran a script of code with instructions telling the machine in front of him to start a cycle despite having $0 in his laundry account. The machine immediately woke up with a loud beep and flashed “PUSH START” on its display, indicating the machine was ready to wash a free load of laundry.
In another case, the students added an ostensible balance of several million dollars into one of their laundry accounts, which reflected in their CSC Go mobile app as though it were an entirely normal amount of money for a student to spend on laundry.
EXCLUSIVE: Two students uncover security bug that could let millions do their laundry for free
Laundry services giant CSC ServiceWorks ignored requests to fix a security bug.
techcrunch.com
