The enshitification of Assistant is what prompted me, a few months ago, to embark on a quest to remove Google (and other cloud-based services) from my home automation setup. I've since swapped over to Home Assistant using Zigbee for almost everything.
I had to keep the Alexa integration going, or the other half would lose their god damned mind because apparently, that's the only way on the entire planet to turn the light by the couch on and off.
But yeah, next up is just replacing all the light switches with zigbee-enabled ones so I can go full scary motion detection in a room thing. It's going to be super futuristic in here, like 1998!
Fun.
From the article, the linked Swagger docs : https://web.archive.org/web/20240120071238/https://mycscgo.com/api/v1/docs/static/index.html#/
And a little more detailed account : https://timesofindia.indiatimes.com/technology/tech-news/how-this-security-bug-in-washing-machines-can-help-college-students-in-the-us-do-free-laundry/articleshow/110277923.cms
It looks like these laundry machines are controlled by a mobile app, and requests are routed through The Internet(tm). The flaw appears to be the web service presumes a user is only able to gain access to their API endpoints via the mobile app, which only exposes certain functions to a user.
Once authorized, though, there's no further checks like oauth scopes or even user roles, to prevent someone from doing a little bit of lateral movement to admin-style endpoints.
Lazy. The machine makers should be ashamed.