Close Menu
TechTost
  • AI
  • Apps
  • Crypto
  • Fintech
  • Hardware
  • Media & Entertainment
  • Security
  • Startups
  • Transportation
  • Venture
  • Recommended Essentials
What's Hot

New Google ad imagines a Declaration of Independence written with the help of artificial intelligence

What is Mistral AI? Everything you need to know about the OpenAI competitor

Podcasting platform Riverside is getting into the newsletter game

Facebook X (Twitter) Instagram
  • About Us
  • Contact Us
  • Privacy Policy
  • Terms and Conditions
  • Disclaimer
Facebook X (Twitter) Instagram
TechTost
Subscribe Now
  • AI

    What is Mistral AI? Everything you need to know about the OpenAI competitor

    4 July 2026

    Anthropic is discussing a new custom chip with Samsung

    3 July 2026

    Jersey Mike’s IPO shows just how bad the AI ​​hype has gotten

    3 July 2026

    OpenAI proposed donating 5% of its equity to a US sovereign wealth fund

    2 July 2026

    SpaceX has a prototype AI device, and it sure sounds like a phone

    2 July 2026
  • Apps

    Podcasting platform Riverside is getting into the newsletter game

    4 July 2026

    Threads adds new features to Live Chats as it expands access

    4 July 2026

    Travel app Hopper to pay $35 million in FTC settlement over ‘unfair’ hidden fees

    3 July 2026

    Meta quietly launches vibe-encoded Pocket gaming app

    3 July 2026

    Popular TV-watching app TV Time is shutting down as the company focuses on artificial intelligence

    2 July 2026
  • Crypto

    Venice AI goes unicorn with $65M Series A as first privacy AI platform takes off

    1 July 2026

    Crypto Exchange OKX wants AI agents to hire and pay each other

    30 June 2026

    Startup Battlefield 200 applications close today

    27 May 2026

    5 days left: Save up to $410 on Disrupt 2026 passes

    25 May 2026

    As crypto cools, a16z crypto raises $2.2 billion in capital

    6 May 2026
  • Fintech

    India’s payments chief believes artificial intelligence will play a big part in the next era of digital payments development

    28 June 2026

    Early Bird pricing ends tonight for the Founder Summit

    26 June 2026

    4 days left to save up to $190 on Founder Summit 2026

    23 June 2026

    Robinhood’s note on 10% layoffs shows that blaming AI doesn’t cut it

    17 June 2026

    Anthropic’s latest spat with the Trump administration may actually help it, sales figures suggest

    17 June 2026
  • Hardware

    IQM, Europe’s first public quantum company, admits that the future of the technology is uncertain

    3 July 2026

    Thiel Capital’s Jack Selby commits stakes in hot startups like Etched through Arizona connections

    3 July 2026

    Ashton Kutcher is leaving Sound Ventures to start a new VC firm with Morgan Beller

    2 July 2026

    Flipper’s new Busy Bar is a customizable display for productivity

    30 June 2026

    South Korea’s tech giants pledge over $550 billion to ease ‘RAMageddon’

    30 June 2026
  • Media & Entertainment

    New Google ad imagines a Declaration of Independence written with the help of artificial intelligence

    4 July 2026

    Cloudflare’s new policy pushes AI companies to pay for publishers’ content

    1 July 2026

    Watch out, Amazon: The Kobo eReader now has a Goodreads rival

    29 June 2026

    YouTube Shorts just got even shorter with an update that lets you double the playback speed

    25 June 2026

    Deezer says its new feature allows fans to remix songs with the artist’s consent

    24 June 2026
  • Security

    Politician who investigated abuses of wiretapping software on his phone with Pegasus spyware

    3 July 2026

    The US government says it’s been hacked — again

    2 July 2026

    In major privacy victory, Supreme Court rules that geo-trafficking warrants are protected by privacy rights

    29 June 2026

    The Klue hack results in a data breach at several cybersecurity companies

    26 June 2026

    Cellebrite said it cut off Russia, but Russia used its tools anyway

    26 June 2026
  • Startups

    Your Brand Deserves Its Own Stage — TechCrunch Disrupt 2026 Side Events

    4 July 2026

    The browser wars aren’t about search anymore — here are the best alternatives to Chrome and Safari

    3 July 2026

    Last chance to apply — Startup Battlefield Australia applications close on 6 July

    3 July 2026

    Arcturus could halve grid electrical losses using nano-infused metals

    2 July 2026

    Indian tech tycoon bets $30 million of his own money to build AI alternative to Microsoft Office

    2 July 2026
  • Transportation

    Chevy built an all-American EV truck — why isn’t anyone buying it?

    3 July 2026

    Rivian raises EV sales forecast as second-quarter production ramps up

    3 July 2026

    Lucid Motors CFO steps down as new CEO continues leadership shakeup

    2 July 2026

    Tesla begins testing Cybercab without pedals or steering wheel in Austin

    2 July 2026

    Lime is starting life as a public company after years of uncertainty

    1 July 2026
  • Venture

    After $18B IPO, Bending Spoons Founder Says Success Comes From Minimizing Luck

    2 July 2026

    Bending Spoons defies SaaS slump, up 40% on first day of trading

    2 July 2026

    The DeepMind trio that created a poker AI is now making money for quantitative hedge funds

    1 July 2026

    Patronus AI lands $50 million to create ‘digital worlds’ that stress-test AI agents

    26 June 2026

    How to invest when everything is moving too fast

    24 June 2026
  • Recommended Essentials
TechTost
You are at:Home»Security»Two students discover a security flaw that could let millions do their laundry for free
Security

Two students discover a security flaw that could let millions do their laundry for free

techtost.comBy techtost.com17 May 202405 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Email
Two Students Discover A Security Flaw That Could Let Millions
Share
Facebook Twitter LinkedIn Pinterest Email

A pair of university students say they found and reported earlier this year a security flaw that allows anyone to avoid paying for laundry services provided by more than a million internet-connected laundromats in residences and college campuses around the world.

Months later, the vulnerability remains open after the vendor, CSC ServiceWorks, ignored repeated requests to fix the flaw.

UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko told TechCrunch that the vulnerability they discovered allows anyone to send remote commands to washing machines operated by CSC and run free laundry cycles.

Sherbrooke said he was sitting on the floor of his basement laundry room in the early hours of a morning in January with his laptop in hand and “all of a sudden he had an ‘ouch’ moment.” From his laptop, Sherbrooke ran a code script with instructions that told the machine in front of him to start a cycle, even though he had $0 in his account at the laundromat. The machine immediately woke up with a loud beep and flashed “PUSH START” on its display, indicating that the machine was ready to wash a free load of laundry.

In another instance, students added an apparent multimillion-dollar balance to one of their laundry accounts, which is reflected in CSC Go mobile app as if it was a perfectly normal amount of money for a student to spend at the laundromat.

CSC ServiceWorks is a large laundry service company, advertising a network over one million laundry machines installed in hotels, campuses and residences in the United States, Canada and Europe.

Since CSC ServiceWorks does not have a dedicated security page for reporting security vulnerabilities, Sherbrooke and Taranenko sent the company several messages through its online contact form in January, but did not hear back from the company. A call to the company got them nowhere, they said.

The students also sent their findings to the CERT Coordination Center at Carnegie Mellon University, which helps security researchers uncover flaws in affected vendors and provide fixes and guidance to the public.

The students are now revealing more about their findings after waiting longer than the usual three months security researchers typically give vendors to fix flaws before going public. The pair first revealed their research in a presentation at their university cyber security club earlier in May.

It’s unclear who, if anyone, is responsible for cybersecurity at CSC, and CSC representatives did not respond to TechCrunch’s requests for comment.

The student researchers said the vulnerability is in the API used by CSC’s mobile app, CSC Go. An API allows applications and devices to communicate with each other over the Internet. In this case, the customer opens the CSC Go app to top up their account with money, pay and start a laundry load at a nearby machine.

Sherbrooke and Taranenko discovered that CSC’s servers can be tricked into accepting commands that modify their account balances because any security checks are done by the app on the user’s device and automatically trusted by CSC’s servers. This allows them to pay for laundry without actually putting money into their accounts.

By analyzing network traffic while online and using the CSC Go app, Sherbrooke and Taranenko found that they could bypass the app’s security checks and send commands directly to CSC’s servers, which are not available through the app itself.

Technology vendors like CSC are ultimately responsible for making sure their servers run the right security checks, otherwise it’s akin to a bank vault protected by a guard who doesn’t bother to check who’s allowed in.

The researchers said that potentially anyone can create a CSC Go user account and send commands using the API, because the servers also don’t check whether new users have their email addresses. The researchers tested this by creating a new CSC account with a fabricated email address.

With direct API access and reference to CSC its own published list of commands for communicating with its serversthe researchers said it is possible to remotely locate and interact with “any washing machine in the connected CSC ServiceWorks network.”

Practically, free washing has an obvious advantage. However, the researchers highlighted the potential dangers of heavy-duty devices being connected to the internet and vulnerable to attack. Sherbrooke and Taranenko said they didn’t know whether sending commands through the API could bypass safety restrictions on modern washing machines to prevent overheating and fires. The researchers said that someone would have to physically press the washer’s start button to start a cycle, until then the settings on the front of the washer can’t be changed unless someone resets the washer.

CSC quietly wiped out the researchers’ multimillion-dollar account balance after they reported their findings, but the researchers said the bug remains unfixable and it’s still possible for users to “freely” give themselves any amount of money.

Taranenko said he was disappointed that CSC did not recognize their vulnerability.

“I just don’t understand how a company this big makes these kinds of mistakes, then has no way to contact them,” he said. “Worst case scenario, people can easily load their wallets and the company loses a ton of money, so why not spend the bare minimum to have a single security inbox that’s monitored for these types of situations?”

But researchers are undeterred by the lack of response from the CSC.

“Since we’re doing this in good faith, I don’t mind spending a few hours on hold to call the help desk if it would help a company with their security issues,” Taranenko said, adding that it was “fun to do this kind of safety research in the real world and not just in simulated competitions’.

cyber security Discover Exclusive flaw free laundry laundry on demand millions security students universities
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleLeverage the TechCrunch Effect: Host a side event at Disrupt 2024
Next Article White House proposes up to $120 million to fund expansion of Polar Semiconductor’s chip facility
bhanuprakash.cg
techtost.com
  • Website

Related Posts

Politician who investigated abuses of wiretapping software on his phone with Pegasus spyware

3 July 2026

The US government says it’s been hacked — again

2 July 2026

Arcturus could halve grid electrical losses using nano-infused metals

2 July 2026
Add A Comment

Leave A Reply Cancel Reply

Don't Miss

New Google ad imagines a Declaration of Independence written with the help of artificial intelligence

4 July 2026

What is Mistral AI? Everything you need to know about the OpenAI competitor

4 July 2026

Podcasting platform Riverside is getting into the newsletter game

4 July 2026
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Fintech

India’s payments chief believes artificial intelligence will play a big part in the next era of digital payments development

28 June 2026

Early Bird pricing ends tonight for the Founder Summit

26 June 2026

4 days left to save up to $190 on Founder Summit 2026

23 June 2026
Startups

Your Brand Deserves Its Own Stage — TechCrunch Disrupt 2026 Side Events

The browser wars aren’t about search anymore — here are the best alternatives to Chrome and Safari

Last chance to apply — Startup Battlefield Australia applications close on 6 July

© 2026 TechTost. All Rights Reserved
  • About Us
  • Contact Us
  • Privacy Policy
  • Terms and Conditions
  • Disclaimer

Type above and press Enter to search. Press Esc to cancel.