{"id":3074,"date":"2024-07-02T05:33:11","date_gmt":"2024-07-02T12:33:11","guid":{"rendered":"https:\/\/www.ssls.com\/blog\/?p=3074"},"modified":"2024-07-04T01:29:46","modified_gmt":"2024-07-04T08:29:46","slug":"laundry-vendor-had-security-bug-that-could-let-millions-do-laundry-for-free","status":"publish","type":"post","link":"https:\/\/www.ssls.com\/blog\/laundry-vendor-had-security-bug-that-could-let-millions-do-laundry-for-free\/","title":{"rendered":"Laundry vendor had security bug that could let millions do laundry for&nbsp;free"},"content":{"rendered":"\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.ssls.com\/blog\/wp-content\/uploads\/SSL_Blog_Laundry.png\" alt=\"\" class=\"wp-image-2327\"\/><\/figure>\n\n\n\n<p>Nobody likes to do laundry. Even worse when you have to drag all your dirty clothes to a laundromat and pay for the privilege on top of all everything else. But for a brief moment in time, two students at UC Santa Cruz discovered that maybe you don\u2019t always have to pay.&nbsp;<\/p>\n\n\n\n<!--more-->\n\n\n\n<h2 class=\"wp-block-heading\">Security flaw in laundry app API<\/h2>\n\n\n\n<p>The two students, Alexander Sherbrooke and Iakov Taranenko, found a vulnerability in their university\u2019s network of laundry appliances that allowed them to send commands to do free laundry. The first time he did it, Sherbrooke had $0 in his laundry account, but he was able to start a wash nonetheless. Another student added several million dollars to his account thanks to the bug.&nbsp;<br><\/p>\n\n\n\n<p>The specific issue was related to the laundry service\u2019s mobile app, which is designed to let mobile apps communicate with the washing machines. The major flaw was that the company servers automatically trusted security checks performed by the app. By exploiting this knowledge, Sherbrooke and Taranenko could circumvent security checks entirely and send commands straight to the server.<br><\/p>\n\n\n\n<p>They also found that the app didn\u2019t check whether new users owned the email addresses they signed up with. Researchers found that they could even create accounts with made-up email addresses.&nbsp;<br><\/p>\n\n\n\n<p>Learn more specific details about their research <a href=\"https:\/\/slugsec.ucsc.edu\/posts\/Laundry-2024\">here<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The company\u2019s response<\/h2>\n\n\n\n<p>The students attempted several times to inform the vendor, CSC ServiceWorks, about the flaw, but received no response initially. CSC ServiceWorks has <a href=\"https:\/\/www.cscsw.com\/about-us\/\">a large reach<\/a>, with over one million machines operating across college campuses, hotels, housing communities, and more in the US, Canada, and Europe. Letting the issue go unchecked could have had a big impact.&nbsp;<br><\/p>\n\n\n\n<p>After the story was <a href=\"https:\/\/techcrunch.com\/2024\/05\/17\/csc-serviceworks-free-laundry-million-machines\/\">first published<\/a>, CSC finally made an official statement about the situation, revealing that they were working on rectifying the issue and updating the website so that the public could more easily inform the company about potential security issues. Acknowledging the students for their work, Stephen Gilbert, CSC\u2019s vice president of marketing, said:&nbsp;<br><\/p>\n\n\n\n<p>\u201cWe would like to thank Mr. Sherbrooke and Mr. Taranenko for their contributions to making companies like CSC ServiceWorks and their stakeholders more secure. We apologize for not responding to them in a more timely manner.\u201d<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The takeaway&nbsp;<\/h2>\n\n\n\n<p>With the countless horror stories about serious security breaches and sensitive data compromise we seem to be bombarded with daily, this comparably low-stakes story is a welcome change of pace. Once more, we have been given an example of just how vital strong security is on every level if you want to protect everything from your customers to your bottom line.<br><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Nobody likes to do laundry. Even worse when you have to drag all your dirty clothes to a laundromat and pay for the privilege on top of all everything else. But for a brief moment in time, two students at UC Santa Cruz discovered that maybe you don\u2019t always have to pay.&nbsp;<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3074","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/3074","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/comments?post=3074"}],"version-history":[{"count":2,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/3074\/revisions"}],"predecessor-version":[{"id":3083,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/3074\/revisions\/3083"}],"wp:attachment":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/media?parent=3074"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/categories?post=3074"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/tags?post=3074"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}