Fun.
From the article, the linked Swagger docs : https://web.archive.org/web/20240120071238/https://mycscgo.com/api/v1/docs/static/index.html#/
And a little more detailed account : https://timesofindia.indiatimes.com/technology/tech-news/how-this-security-bug-in-washing-machines-can-help-college-students-in-the-us-do-free-laundry/articleshow/110277923.cms
It looks like these laundry machines are controlled by a mobile app, and requests are routed through The Internet™. The flaw appears to be the web service presumes a user is only able to gain access to their API endpoints via the mobile app, which only exposes certain functions to a user.
Once authorized, though, there’s no further checks like oauth scopes or even user roles, to prevent someone from doing a little bit of lateral movement to admin-style endpoints.
Lazy. The machine makers should be ashamed.
I once took over an app that worked like this. Access to one thing? Access to everything! And they had a hard coded admin password in the server code. 🤦 The client wasn’t happy when I proposed a complete rewrite. Eventually my manager begged me to stop working with them, so we did.
I (white boy) visited India in the early '90s and brought back a bunch of rolls of half-Rupee coins as souvenirs. Turns out they were the exact same weight and diameter as US quarters (even down to the number of ridges, which makes me suspect India bought a bunch of used US minting machines to make them), so I started using them at laundromats. The exchange rate at the time was 35 Rs to the dollar, so a load in the US that normally cost $1 was costing me less than 6 cents. I do feel bad for the harassment that actual Indian customers probably ended up receiving, although possibly the owners never noticed or cared.
When i used to go to france for my family holiday every year (i live in southeast england so not far) i used to take as many 2p coins as i could because they were close enough to the €2 coin to work in those insert and twist sweet/small toy machines
British coins really seem absurdly overly-beefy for the monetary value they represent. I think it’s a way of saving up metal for the next time the Germans need sorting out.
we’re not allowed guns really so the only option will be to throw our ever diminishing currency at any invaders
Here’s a reminder that most washing machines use a universal key, which you can buy online for like $5. You can just pop it open and hit the little “coin inserted” switch to make it think you paid.
Just hope they don’t have cameras.
Steal those too
