In a classic tale of student ingenuity, two undergraduate researchers at the University of California, Santa Cruz, discovered a security flaw in a widely used laundry payment system, potentially giving them and millions of others access to unlimited free laundry cycles.
Alexander Sherbrooke and Iakov Taranenko, the resourceful duo, were simply trying to do their laundry one evening when Sherbrooke, out of curiosity and with no money in his laundry account, decided to experiment with a code script on his laptop. To their surprise, the script successfully commanded the machine to start a cycle without charging their account.
Intrigued, they delved deeper, uncovering a vulnerability in the system operated by CSC ServiceWorks, a company managing over a million laundry machines across the United States. They found they could manipulate their account balances, adding substantial sums through the company’s mobile app.
While their initial motivation was simply to do their laundry for free, the students quickly realized the broader implications of their discovery. The security flaw could potentially be exploited by others, costing the company millions in lost revenue.
In a responsible move, Sherbrooke and Taranenko attempted to alert CSC ServiceWorks to the issue, reaching out through various channels in January. However, their attempts were met with silence, with the company seemingly unaware of the vulnerability.
Months later, with no response from the company and the bug still unpatched, the students decided to share their findings with TechCrunch. While the students’ actions have raised ethical questions about responsible disclosure, their discovery has undoubtedly brought attention to the issue, prompting the company to investigate and address the vulnerability.
For now, students across the country might be enjoying the perk of free laundry, thanks to the ingenuity of two of their peers. Their story serves as a reminder of the importance of cybersecurity, even in seemingly mundane systems like laundry payment platforms.