It looks like these laundry machines are controlled by a mobile app, and requests are routed through The Internet™. The flaw appears to be the web service presumes a user is only able to gain access to their API endpoints via the mobile app, which only exposes certain functions to a user.
Once authorized, though, there’s no further checks like oauth scopes or even user roles, to prevent someone from doing a little bit of lateral movement to admin-style endpoints.
I once took over an app that worked like this. Access to one thing? Access to everything!
And they had a hard coded admin password in the server code. 🤦
The client wasn’t happy when I proposed a complete rewrite. Eventually my manager begged me to stop working with them, so we did.
Fun.
From the article, the linked Swagger docs : https://web.archive.org/web/20240120071238/https://mycscgo.com/api/v1/docs/static/index.html#/
And a little more detailed account : https://timesofindia.indiatimes.com/technology/tech-news/how-this-security-bug-in-washing-machines-can-help-college-students-in-the-us-do-free-laundry/articleshow/110277923.cms
It looks like these laundry machines are controlled by a mobile app, and requests are routed through The Internet™. The flaw appears to be the web service presumes a user is only able to gain access to their API endpoints via the mobile app, which only exposes certain functions to a user.
Once authorized, though, there’s no further checks like oauth scopes or even user roles, to prevent someone from doing a little bit of lateral movement to admin-style endpoints.
Lazy. The machine makers should be ashamed.
I once took over an app that worked like this. Access to one thing? Access to everything! And they had a hard coded admin password in the server code. 🤦 The client wasn’t happy when I proposed a complete rewrite. Eventually my manager begged me to stop working with them, so we did.