Two California college students stumbled upon a way to get free laundry services by exploiting a security vulnerability.
The flaw remains unfixed.
The flaw exists between CSC’s mobile app, “CSC Go,” and its backend servers.
He then quickly wrote a simple script instructing the app to start the machine.
He figured there was no way his script would work since he had no money in his laundry account.
To his surprise, the machine lit up and displayed the words “Push Start.”
It turned out they could push it as far as they wanted.
In one case, they claimed they added several million dollars to one of their laundry accounts.
Despite the absurd deposit, the app showed a multimillion-dollar balance.
So they sent several messages through the website’s contact page, but the company never responded.
They tried phoning CSC, but that also led nowhere.
The students say the exploits work because the CSC Go app handles all transactional security validations on-rig.
The CSC servers automatically trust the incoming commands since they think they are coming from the app.
TechCrunch attempted to contact CSC for comment, but nobody returned its email.
Image credit:Alberto_VO5
