Two students have found a way to do their laundry for free after discovering a bug in the app that comes with the washing machines on their college campus.
Because they were honest people, they reported their findings in good faith. However, it seems like the company that makes the app didn’t really bother to respond to their messages or, worse, address the issue for months.
Report on the findings, TechCrunch says the bug is still present and free washing is still possible.
Tapped API
Apparently, UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko discovered more than three months ago that the internet-connected washing machine app built by CSC ServiceWorks had numerous flaws. The app allows users to top up their accounts and use the money to buy laundry, among other things.
First, anyone could register an account with any fake email address – the app didn’t bother to check if the owner of the account also owned the associated email address (which is standard these days).
They then discovered that the API used by the CSC Go mobile app was so flawed that it allowed users to trick CSC servers into accepting commands that change account balances. One of the users topped up his account by more than a million dollars to prove his point.
After discovering the flaws, the two students tried to contact the company in various ways, but were ultimately unable to share their findings with anyone. They then contacted the media.
“I just don’t understand how such a big company makes these kinds of mistakes and then can’t contact them,” Taranenko said. “In the worst case, people can easily overload their wallets and the company loses a lot of money. Why not spend the bare minimum on one monitored security email inbox for situations like this?”
The company cleared students’ balances, but apparently the bug can still be exploited.