Bro don’t fucken tell the company wtf.
Fucking it up for the rest of us
His hat is only white because he got to test this a bunch before exposing the vulnerability.
HEAR YE HEAR YE! best comment here! Hahaha
When I found a loophole for cheap Wendy’s food, I absolutely abused it a dozen times as a poor college student. It involves receipts and going to different Wendy’s.
Hey I think every white hat deserves some leniency in their Robin Hooding haha.
Fun.
From the article, the linked Swagger docs : https://web.archive.org/web/20240120071238/https://mycscgo.com/api/v1/docs/static/index.html#/
And a little more detailed account : https://timesofindia.indiatimes.com/technology/tech-news/how-this-security-bug-in-washing-machines-can-help-college-students-in-the-us-do-free-laundry/articleshow/110277923.cms
It looks like these laundry machines are controlled by a mobile app, and requests are routed through The Internet™. The flaw appears to be the web service presumes a user is only able to gain access to their API endpoints via the mobile app, which only exposes certain functions to a user.
Once authorized, though, there’s no further checks like oauth scopes or even user roles, to prevent someone from doing a little bit of lateral movement to admin-style endpoints.
Lazy. The machine makers should be ashamed.
I once took over an app that worked like this. Access to one thing? Access to everything! And they had a hard coded admin password in the server code. 🤦 The client wasn’t happy when I proposed a complete rewrite. Eventually my manager begged me to stop working with them, so we did.
In this case this is fucked up. Let people wash dammit
They could!
Obviously we need UBI cuz…
Capitalism. “Free” washes would increase rent. And benefit high-volume washers! Might increase lines though (wash more often with no skin in the game), pull back people who may be using laundromats as an alternative. Detrimental to low-volume washing households.
Mostly I’d say it’s an optics thing. Cost per year to exist wouldn’t change much, but clearly public opinion could.
I (white boy) visited India in the early '90s and brought back a bunch of rolls of half-Rupee coins as souvenirs. Turns out they were the exact same weight and diameter as US quarters (even down to the number of ridges, which makes me suspect India bought a bunch of used US minting machines to make them), so I started using them at laundromats. The exchange rate at the time was 35 Rs to the dollar, so a load in the US that normally cost $1 was costing me less than 6 cents. I do feel bad for the harassment that actual Indian customers probably ended up receiving, although possibly the owners never noticed or cared.
I used to work as a teller and we used to run magnets on every roll of quarters that came in from laundry mats and car washes. While the weight is correct, American coins are never magnetic. Every single time it’s the laundry mats that foot the bill.
Here’s a reminder that most washing machines use a universal key, which you can buy online for like $5. You can just pop it open and hit the little “coin inserted” switch to make it think you paid.
Just hope they don’t have cameras.
Steal those too
Are you sure the key is universal? I dont need the make and model?
I mean, the owner can choose to re-key it. But there are only a few manufacturers for them. Most laundromats use Speed Queen machines, for instance. And the manufacturer ships them with a single universal key, so the owner isn’t left juggling like forty different keys for a single laundromat. If every machine had a unique key, the owners would need to have a bunch of different keys just to service everything at the end of the day.
I had free laundry for most of my freshman year of college. We had coin operated machines, and somebody quickly figured out that you can strip 2 wires and just touch them together, or touch a coin to both of them, and every time you did that the machine would think a coin had been inserted. Eventually the college caught on and one day I went down there and all the machines were taken apart with maintenance guys working on them, and after that there was a heavy duty housing for the coin acceptor with no exposed wires. It was nice while it lasted!
Is it USSA?
There used to be this music festival in my college town and they liked to charge absurd money for “tokens” to use at the vendors. I didn’t use all of them but I found they worked in the parking meters (I think they detected as slugs, because they immediately gave me an hour and flashed the meter) but nobody in the city bothered to ticket me for it. I dunno, I felt kinda bad but at the same time, I don’t like to parallel park.
For what its worth, I paid more for the tokens than I ever did parking.
deleted by creator
I’ve never heard of CSC, only Coinamatic in every commercially run residential coin laundry I have seen (in Canada). They run on coins or chip cards.
I’m in the midwest and have used csc at every apartment I’ve lived at. Maybe it’s regional?
