Two university students claim they identified and reported a security flaw earlier this year that allows anyone to avoid paying for laundry services on over a million internet-connected machines around the world, including those in residences and college campuses.
Months later, the vulnerability remains unresolved as CSC ServiceWorks failed to respond to repeated requests to address the issue.
UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko discovered that the flaw permits anyone to remotely initiate laundry cycles for free on CSC-operated machines.
Sherbrooke recounted sitting in his basement laundry room one early January morning with his laptop when he experienced an “oh s—” moment. By running a script, he managed to start a laundry cycle on a machine without any money in his account. The machine responded with a loud beep and displayed “PUSH START,” signaling it was ready for a free load.
In another instance, they added an ostensible balance of several million dollars to one of their laundry accounts, which appeared normal in their CSC Go mobile app.
CSC ServiceWorks, a major laundry service provider, claims to have over a million laundry machines installed in hotels, universities, and residences across the U.S., Canada, and Europe.
Lacking a dedicated security page for vulnerability reports, Sherbrooke and Taranenko sent multiple messages via CSC’s online contact form in January but received no responses. Phone calls also proved unfruitful.
The students shared their findings with the CERT Coordination Center at Carnegie Mellon University, which assists in disclosing security flaws to vendors and offering public guidance.
After waiting longer than the typical three-month period that security researchers allow vendors to fix issues before going public, the students presented their findings at their university’s cybersecurity club in May.
CSC representatives did not respond to Truth Voices’s requests for comment, and it remains unclear who manages cybersecurity at the company.
The flaw lies in the API used by CSC’s mobile app, CSC Go, which facilitates communication between apps and devices over the internet. Users top up their accounts and start laundry loads via the app. However, Sherbrooke and Taranenko found that CSC’s servers accept commands that alter account balances because the security checks are performed by the app on the user’s device, which the servers automatically trust. This loophole allows users to pay for laundry without real funds.
By analyzing network traffic while using the CSC Go app, the students circumvented the app’s security checks and sent commands directly to CSC’s servers, which are otherwise inaccessible through the app.
Technology vendors like CSC must ensure their servers conduct proper security checks; failing to do so is akin to a bank vault protected by a lax guard.
The researchers demonstrated that anyone could create a CSC Go account and send commands via the API because new user email addresses aren’t verified. They tested this with a fabricated email address.
Accessing the API and referring to CSC’s published list of server commands, Sherbrooke and Taranenko found it possible to remotely interact with all laundry machines on CSC’s network.
While free laundry seems beneficial, the students highlighted the risks of internet-connected heavy-duty appliances being vulnerable to attacks. Although they couldn’t confirm if API commands could bypass safety restrictions to prevent overheating and fires, they noted someone must physically press the machine’s start button to begin a cycle.
After reporting their findings, CSC quietly reset the researchers’ inflated account balance, though the bug remains unfixed, allowing users to artificially inflate their balances.
Taranenko expressed disappointment over CSC’s lack of acknowledgment. “I just don’t get how a company that large makes these mistakes then has no way of contacting them,” he said. “Worst-case scenario, people can easily load up their wallets and the company loses a ton of money. Why not have a single monitored security email for this?”
Despite CSC’s lack of response, the researchers remain committed. “Since we’re doing this in good faith, I don’t mind spending hours waiting on hold to help with security issues,” said Taranenko, adding that working on real-world security research was enjoyable.
