Two students found a way to do their laundry for free after discovering a bug in the app that accompanies the laundry machines on their college campus.
Because they were honest people, they reported their findings in good faith. However, it seems that the company creating the app didn't bother to respond to your messages or, worse yet, address the issue for months.
Report findings, TechCrunch It says the bug is still present and free laundry is still possible.
API with errors
Apparently, more than three months ago, UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko discovered that the app for Internet-connected washing machines built by CSC ServiceWorks had numerous bugs. The app, among other things, allows users to top up their accounts and use the funds to purchase laundry.
First, anyone could register an account with any fake email address: the app didn't bother to check whether the account owner also owned the associated email address (which is standard practice nowadays).
They then discovered that the API used by the CSC Go mobile app had flaws that allowed users to trick CSC servers into accepting commands that changed the account balance. One of the users topped up his account with over a million dollars to prove his point.
After discovering the flaws, the two students allegedly tried to contact the company in different ways, but ultimately were unable to share their findings with anyone. Later, they contacted the media.
“I just don't understand how a company that big makes those kinds of mistakes and then has no way to contact them,” Taranenko said. “In the worst case, people could easily fill their wallets and the company would lose a lot of money. Why not spend the minimum on having a single monitored security email inbox for this type of situation?
The company deleted the students' balance, but apparently the error can still be abused.