Bro don’t fucken tell the company wtf.
That’s how it works in security. It is unethical to not give the company time to react before public disclosure.
I think they meant that if the students hadn’t told the company, they and their classmates could have done their laundry for free.
His hat is only white because he got to test this a bunch before exposing the vulnerability.
When I found a loophole for cheap Wendy’s food, I absolutely abused it a dozen times as a poor college student. It involves receipts and going to different Wendy’s.
In this case this is fucked up. Let people wash dammit
Not the same company, but I live in apartments with washer/dryers like this. Coin op entirely removed.
You have to have a device that is bluetooth capable to use them.
Anyway pretty sure someone in this apartment has figured out something similar because the machines keep magically becoming unpaid machines after they get serviced. After each service, they will be asking for money to be able to be used for like a day or so, but then soon enough, I’ll go back to the laundry room and all the machines will be free and not asking for money. Just ready to go, no device required.
Originally, I thought it was the company disabling them due to like a data breach or something and was trying to find out if there was an undisclosed data leak and/or a class action lawsuit brewing. Since neither of those are the case, I’m pretty sure it’s a Notorious Do-Gooder.
So, thanks, Notorious Do-Gooder, for all the free washes and drys.
(Especially since this same idea crossed my mind over a year ago but I’ve just been too lazy to view the bluetooth data traffic myself)
Good, hope you’re enjoying the Internet on “Pretty_Fly_For_A_WIFI” open network
Saw a video that showed using swizzle sticks jammed into the coin slots to release the lock and get free laundry.
I had bike spokes laying around and tried it. It worked, but actually broke the coin slots. Management reconfig’d to other slots, which I then broke.
Laundry was only 25 cents if you knew which slot to put a quart into.
Around 2007 or so I used to unplug Coinstar machines from the internet (plug was usually right in back) and then put in all my coins and try to redeem an online gift card. It used to be you could only get all of your cash back via online gift cards, because the machine took out a fee to give your money back in cash.
When it couldn’t connect to the internet, it would apologize and refund me in cash, with no convenience fee (since I was clearly inconvenienced). Full amount returned.
You were supposed to use plastic coffee straws not a hard piece of metal. Turn a $1 bag of 100 straws into $25-$100 in laundry change depending on how much your reuse the straws.
Honestly coin machines aren’t that bad as they don’t require you to pay a internet bill and they don’t have cyber issues.
Sure it might be inconvenient but you can just have a machine that converts bills to coins like they have at car washes.
They could!
Obviously we need UBI cuz…
Capitalism. “Free” washes would increase rent. And benefit high-volume washers! Might increase lines though (wash more often with no skin in the game), pull back people who may be using laundromats as an alternative. Detrimental to low-volume washing households.
Mostly I’d say it’s an optics thing. Cost per year to exist wouldn’t change much, but clearly public opinion could.
Fun.
From the article, the linked Swagger docs : https://web.archive.org/web/20240120071238/https://mycscgo.com/api/v1/docs/static/index.html#/
And a little more detailed account : https://timesofindia.indiatimes.com/technology/tech-news/how-this-security-bug-in-washing-machines-can-help-college-students-in-the-us-do-free-laundry/articleshow/110277923.cms
It looks like these laundry machines are controlled by a mobile app, and requests are routed through The Internet™. The flaw appears to be the web service presumes a user is only able to gain access to their API endpoints via the mobile app, which only exposes certain functions to a user.
Once authorized, though, there’s no further checks like oauth scopes or even user roles, to prevent someone from doing a little bit of lateral movement to admin-style endpoints.
Lazy. The machine makers should be ashamed.
I once took over an app that worked like this. Access to one thing? Access to everything! And they had a hard coded admin password in the server code. 🤦 The client wasn’t happy when I proposed a complete rewrite. Eventually my manager begged me to stop working with them, so we did.
I (white boy) visited India in the early '90s and brought back a bunch of rolls of half-Rupee coins as souvenirs. Turns out they were the exact same weight and diameter as US quarters (even down to the number of ridges, which makes me suspect India bought a bunch of used US minting machines to make them), so I started using them at laundromats. The exchange rate at the time was 35 Rs to the dollar, so a load in the US that normally cost $1 was costing me less than 6 cents. I do feel bad for the harassment that actual Indian customers probably ended up receiving, although possibly the owners never noticed or cared.
When i used to go to france for my family holiday every year (i live in southeast england so not far) i used to take as many 2p coins as i could because they were close enough to the €2 coin to work in those insert and twist sweet/small toy machines
British coins really seem absurdly overly-beefy for the monetary value they represent. I think it’s a way of saving up metal for the next time the Germans need sorting out.
