These students discovered a security bug that could let millions of us do laundry for free

Reporting on the findings, TechCrunch says the bug is still present and that free laundry is still possible.

Bugged API 

Apparently, more than three months ago, UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko discovered that the app for internet-connected laundry machines built by CSC ServiceWorks came with numerous flaws. The app, among other things, allows users to top up their accounts and use the funds to purchase laundry washing. 

First, anyone could register an account with any fake email address - the app didn’t bother checking if the owner of the account also owned the associated email address (which is standard practice these days).

Then, they found that the API used by the CSC Go mobile app was flawed in a way that allowed the users to trick CSC servers into accepting commands that change the account balance. One of the users topped up their account by more than a million dollars, to prove their point. 

After discovering the flaws, the two students allegedly tried reaching out to the company in different ways, but failed to ultimately share their findings with anyone. After that, they contacted the media. 

“I just don’t get how a company that large makes those types of mistakes, then has no way of contacting them,” Taranenko said. “Worst-case scenario, people can easily load up their wallets and the company loses a ton of money. Why not spend a bare minimum of having a single monitored security email inbox for this type of situation?”

The company did wipe the students’ balance, but apparently the bug can still be abused.

More from TechRadar Pro

• Microsoft wants to take any MFA and 2FA worries out of your hands
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now