How did two university students get free laundry services?

CSC ServiceWorks provides Internet-connected laundry machines in residences and college campuses all over the world. Typically, you have to pay for each load of laundry you do with their machines, but two university students have discovered a workaround.

UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko discovered in January that they could remotely send commands to the machines and start them without paying. This is due to a vulnerability in the API in CSC’s mobile app. They learned that security checks are done on the app and not CSC’s servers, so they were able to bypass these security checks by sending commands straight to the servers. The servers then believed there were adequate funds in their accounts to pay for laundry cycles, even when there really weren’t.

The students attempted to contact CSC by email and phone to notify them of the flaw but received no response, and the issue has still not been fixed. They even contacted the CERT Coordination Center at Carnegie Mellon University, which helps disclose flaws and provide fixes, but to no avail. As of now, anyone with the technical know-how can get their laundry done for free.