Nobody likes to do laundry. Even worse when you have to drag all your dirty clothes to a laundromat and pay for the privilege on top of all everything else. But for a brief moment in time, two students at UC Santa Cruz discovered that maybe you don’t always have to pay.
Security flaw in laundry app API
The two students, Alexander Sherbrooke and Iakov Taranenko, found a vulnerability in their university’s network of laundry appliances that allowed them to send commands to do free laundry. The first time he did it, Sherbrooke had $0 in his laundry account, but he was able to start a wash nonetheless. Another student added several million dollars to his account thanks to the bug.
The specific issue was related to the laundry service’s mobile app, which is designed to let mobile apps communicate with the washing machines. The major flaw was that the company servers automatically trusted security checks performed by the app. By exploiting this knowledge, Sherbrooke and Taranenko could circumvent security checks entirely and send commands straight to the server.
They also found that the app didn’t check whether new users owned the email addresses they signed up with. Researchers found that they could even create accounts with made-up email addresses.
Learn more specific details about their research here.
The company’s response
The students attempted several times to inform the vendor, CSC ServiceWorks, about the flaw, but received no response initially. CSC ServiceWorks has a large reach, with over one million machines operating across college campuses, hotels, housing communities, and more in the US, Canada, and Europe. Letting the issue go unchecked could have had a big impact.
After the story was first published, CSC finally made an official statement about the situation, revealing that they were working on rectifying the issue and updating the website so that the public could more easily inform the company about potential security issues. Acknowledging the students for their work, Stephen Gilbert, CSC’s vice president of marketing, said:
“We would like to thank Mr. Sherbrooke and Mr. Taranenko for their contributions to making companies like CSC ServiceWorks and their stakeholders more secure. We apologize for not responding to them in a more timely manner.”
The takeaway
With the countless horror stories about serious security breaches and sensitive data compromise we seem to be bombarded with daily, this comparably low-stakes story is a welcome change of pace. Once more, we have been given an example of just how vital strong security is on every level if you want to protect everything from your customers to your bottom line.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.