this post was submitted on 20 May 2024
379 points (98.0% liked)

Technology

68394 readers
4132 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
379
Two students find security bug that could let millions do laundry for free (www.theverge.com)
submitted 10 months ago by return2ozma@lemmy.world to c/technology@lemmy.world
87 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] evatronic@lemm.ee 69 points 10 months ago (1 children)

Fun.

From the article, the linked Swagger docs : https://web.archive.org/web/20240120071238/https://mycscgo.com/api/v1/docs/static/index.html#/

And a little more detailed account : https://timesofindia.indiatimes.com/technology/tech-news/how-this-security-bug-in-washing-machines-can-help-college-students-in-the-us-do-free-laundry/articleshow/110277923.cms

It looks like these laundry machines are controlled by a mobile app, and requests are routed through The Internet(tm). The flaw appears to be the web service presumes a user is only able to gain access to their API endpoints via the mobile app, which only exposes certain functions to a user.

Once authorized, though, there's no further checks like oauth scopes or even user roles, to prevent someone from doing a little bit of lateral movement to admin-style endpoints.

Lazy. The machine makers should be ashamed.

[–] anakin78z@lemmy.world 22 points 10 months ago

I once took over an app that worked like this. Access to one thing? Access to everything! And they had a hard coded admin password in the server code. 🤦 The client wasn't happy when I proposed a complete rewrite. Eventually my manager begged me to stop working with them, so we did.