BrowserStack hacked: Attacker sends email to customers alleging shoddy security

After a hacker sent email to BrowserStack customers, alleging the company had no firewalls in place, stored passwords in plain text and other shoddy security practices, BrowserStack admitted it was hacked. Yet the company claims the hacker only accessed a list of email addresses and promised to give customers an analysis of the attack later.

Hacked
Credit: Scott Schiller

BrowserStack is a cross-browser testing tool that allows its 25,000 customers to test their websites on over 700 different web browsers across various desktop operating systems and mobile platforms. It claims to have some big guns like Microsoft, GitHub, eBay, Adobe, MIT, VISA, and Wikipedia as customers.

BrowserStack hacked BrowserStack

The fact that BrowserStack was hacked became known after customers received an email that reads like it’s from a disgruntled employee, meaning the claims may not be true. Back in September, the FBI and DHS issued a warning about seeing a significant uptick in insider threats, costing victim businesses from $5,000 to $3 million. There's a chance the claims could be true and the email was the hacker’s breach notification preference. A copy of the email is on Pastebin:

Dear BrowserStack User,

We are unfortunately displeased to announce that BrowserStack will be shutting down. After much consideration on our part, we have realized we were negligent in the services we claimed to offer.  In our terms of service, we state the following:

    [...] after the restoration process is complete, the virtual machines are guaranteed to be tamper-proof.

    [...] The machines themselves are in a secure network, and behind strong firewalls to present the safest environment possible.

    [...] At any given time, you have sole access to a virtual machine. Your testing session cannot be seen or accessed by other users, including BrowserStack administrators. Once you release a virtual machine, it is taken off the grid, and restored to its initial settings. All your data is destroyed in this process.

Unfortunately, we have blatantly lied. Not only do all of our administrators have access, but so does the general public. We have no firewalls in place, and our password policies are atrocious. All virtual machines launched are open to the public, accessible to anyone with the alpha password "nakula" on port 5901, a password which is stored in plaintext on every VM. As well, our infrastructure uses the same root passwords on all machines, which is also stored in plaintext on every VM launched ("c0stac0ff33").

Given the propensity for cyber criminals to target infrastructure services such as ours, it is almost certain all of your data has been compromised. These passwords take no less than 15 minutes to find for anyone who is looking.

We hope we have not caused you too much trouble, and to our enterprise customers who signed deals contracts based on a fabrication, we are equally sorry.

Sincerely,

The BrowserStack Team

When worried customers checked out the site to see if it was shutting down, they saw a standard maintenance notice:

We’ll be back soon!  Sorry for the inconvenience but we’re performing some maintenance at the moment. If you need to you can always contact us, otherwise we’ll be back online shortly!

“BrowserStack is not shutting down,” the company told DataBreaches.net. “An attacker gained access to a list of user email addresses on BrowserStack on 9 November, 2014 at 23:30 GMT.” The response mentioned sanitization to make “doubly sure this situation never reoccurs,” but added, “We have determined that the hacker’s access was restricted solely to that list of email addresses. As a precaution, we recommend changing your BrowserStack password…. We are on top of it, and will post updates as they happen.”

The company issued a similar update via a tweet:

BrowserStack claims only customer email list compromised BrowserStack

One big update is that the site is back up, but there is no notification of the hack on BrowserStack’s site

No notification of hack on BrowserStack BrowserStack

The discussion about BrowserStack on Hacker News ranged from speculation to investigation. There have been security issues reported to BrowserStack in the past; for example globule commented:

Regarding some of the actual claims, I had an issue a year back when I logged into a session, and could perfectly see another user's session in progress, internal URL in the browser, mouse moving around. I freaked out, watched for 3-4 seconds, and then got kicked out of the session.

After reporting the issue, BrowserStack claimed it had “fixed the root cause.” Other Hacker News’ commenters also reported experiencing security-related issues while using the site.

The email about the hack was sent via Amazon SES; that means, as commenter rver pointed out, “The hacker had access to their Amazon SES credentials.”

BrowserStack has since taken to Twitter to say the company intends to post a “post-mortem of the attack.”

BrowserStack promised post mortem on attack BrowserStack

Whether or not that goes up on BrowserStack’s site remains to be seen, as a different tweet claimed, “We will email all users with the entire analysis soon.”

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.