The struggle is real: No matter how long ago you attended college, chances are high that you remember laundry day. The dreaded chore required you to gather your stinky clothes and take them to a laundromat on or off campus. Worse yet, you had to spend your limited beer money on the task (or was that just me?).

Two California college students stumbled upon a way to get free laundry services by exploiting a security vulnerability. The bug affects over a million internet-connected laundry machines operated by CSC ServiceWorks in the US, Canada, and Europe. The flaw remains unfixed.

Students Alexander Sherbrooke and Iakov Taranenko, attending the University of Califonia at Santa Cruz, discovered multiple ways to get unlimited free laundry cycles from the faulty laundry machines. The flaw exists between CSC’s mobile app, “CSC Go,” and its backend servers. However, the students were not actively looking for an exploit when they found it (sure, they weren’t).

Sherbrooke told TechCrunch that he was just sitting on the floor of the basement laundry room one January morning with his laptop when he “suddenly [had] an ‘oh sh**’ moment.” He then quickly wrote a simple script instructing the app to start the machine. He figured there was no way his script would work since he had no money in his laundry account. To his surprise, the machine lit up and displayed the words “Push Start.”

Sherbrooke contacted his friend, Taranenko, and the two tried other experiments to see how far they could push the envelope. It turned out they could push it as far as they wanted. In one case, they claimed they added several million dollars to one of their laundry accounts. Despite the absurd deposit, the app showed a multimillion-dollar balance.

When attempting to notify CSC ServiceWorks, the students found it does not have an official means of reporting bugs or security vulnerabilities. So they sent several messages through the website’s contact page, but the company never responded. They tried phoning CSC, but that also led nowhere. Having no other avenue for directly reporting the flaw, the students contacted Carnegie Mellon University’s CERT Coordination Center to get help disclosing the vulnerability to the vendor.

Close to five months have passed since trying to notify CSC, but the bug remains unpatched, prompting the student researchers to disclose the flaw publicly. Unsurprisingly, Sherbrooke and Taranenko first shared the bug at a UCSC cybersecurity club meeting in early May before going to the media over this last weekend. Presumably, the cybersecurity club members are “monitoring” the situation with laundry baskets in hand every weekend so they can report when the company has fixed the flaw.

The students say the exploits work because the CSC Go app handles all transactional security validations on-device. By exploiting the app’s API, the students bypass the app’s validation process and send commands directly to the servers. The CSC servers automatically trust the incoming commands since they think they are coming from the app. It’s a case study in why you teach first year IT students to always set up backend transaction processing.

TechCrunch attempted to contact CSC for comment, but nobody returned its email.

Image credit: Alberto_VO5