Students Spot Washing Machine App Flaw That Gives Out Free Cycles

  /     /     /  
Publicated : 23/11/2024   Category : security


Students Spot Washing Machine App Flaw That Gives Out Free Cycles


UCSC students say that after reporting the bug months ago, theyre still able to rack up unlimited free wash loads at their local laundromat.



Two students from the University of California at Santa Cruz (UCSC) discovered a security flaw within CSC ServiceWorks washing machines that allows for unlimited free laundry cycles.
The students, Alexander Sherbrooke and Iakov Taranenko, explained to TechCrunch that the bug allows for someone to send remote commands to the laundry machines.
The vulnerability is in the API
used by CSC Go, the CSC mobile app, which can be deceived into accepting commands because security checks are done by the app on the users device and are automatically trusted by CSCs servers.
The flaw was discovered when Sherbrooke was able to run a script of code with instructions for the machine to run a cycle even though there was $0 in his account. Much to his surprise, the laundry machine lit up, prompting the customer in question to push the start button for the cycle to begin.
But the students didnt stop there. Next, they added a hefty balance to their laundry accounts amounting to some several million dollars, which the CSC Go mobile app allowed.
Sherbrooke and Taranenko contacted CSC ServiceWorks — which doesnt have a page devoted to security and reporting bugs — through its online contact form in January of this year but never received a response. Calling the company led to the same brick wall.
Now, months later, having waited longer than the three months that researchers usually grant vendors to
fix their vulnerabilities
before telling the world,
the pair is going into more detail
about their findings. 
Dark Reading reached out to CSC ServiceWorks for comment but has not yet received a response.
On May 20, Sherbrooke and Taranenko submitted a
blog post to Slug Security
in what is described as a more technical continuation of the interview they did with TechCrunch. 
The students said they waited so long to report the bug because they wanted to make sure they were going about the process correctly.
We dont want a multi-million dollar company throwing a lawsuit at us because we didn’t report it, they said. The UCSC students even received the help of Carnegie Mellon Universitys CERT Coordination Center to contact the vendor but the vendor didnt even visit CERTs portal to view the message.
After the students reported their findings, CSC wiped their multimillion-dollar account balance, but the vulnerabilities still remain unfixed.
Worst-case scenario, people can easily load up their wallets and the company loses a ton of money, Taranenko said. Why not spend a bare minimum of having a single monitored security email inbox for this type of situation?

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Students Spot Washing Machine App Flaw That Gives Out Free Cycles