UC Santa Cruz students uncover a critical flaw in CSC's laundry machines, allowing free laundry cycles and posing significant security risks

Continue reading
Two University of California, Santa Cruz students, Alexander Sherbrooke and Iakov Taranenko, uncovered a significant security flaw in the API of CSC ServiceWorks’ internet-connected laundry machines.
This vulnerability allows unauthorized users to remotely control laundry cycles and manipulate account balances, essentially enabling free laundry. Despite multiple attempts to report the issue, CSC ServiceWorks has yet to address the problem.
This Threatfeed dissects the technical aspects of the vulnerability, its implications, and the company's response, or lack thereof.
Alexander Sherbrooke discovered the flaw in January while experimenting with the CSC Go app. He executed a script from his laptop, which successfully initiated a laundry cycle without any funds in his account.
This critical "oh s—" moment revealed a systemic failure in CSC's API security.
The vulnerability exists in the API utilized by the CSC Go mobile app, which facilitates communication between users' devices and CSC’s servers. Key weaknesses include:
Sherbrooke and Taranenko exploited the vulnerability by:
import requests
# API endpoint for starting a laundry cycle
url = "https://api.cscserviceworks.com/startCycle"
# Payload with the machine ID and user session token
payload = {
"machine_id": "123456",
"session_token": "abcdefg123456",
"command": "start"
}
# Sending the request
response = requests.post(url, json=payload)
# Checking the response
if response.status_code == 200:
print("Laundry cycle started successfully.")
else:
print("Failed to start laundry cycle.")Sherbrooke and Taranenko attempted to contact CSC ServiceWorks through various channels, including the company's online contact form and phone support. They also reported the issue to the CERT Coordination Center at Carnegie Mellon University.
Despite these efforts, CSC ServiceWorks has not addressed the vulnerability. The company's failure to respond highlights a critical gap in their security posture and incident response processes.
The discovery of this vulnerability by Sherbrooke and Taranenko underscores the importance of robust API security practices. CSC ServiceWorks' lack of response to the reported flaw raises significant concerns about their commitment to security.
It is imperative that they take immediate action to secure their systems and establish better mechanisms for handling security disclosures. This incident serves as a stark reminder of the potential risks associated with internet-connected devices and the critical need for vigilant security measures.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.