The cross-browser testing service BrowserStack was recently breached by an attacker who leveraged his access to send an email to users claiming that the service was shutting down.
Claiming to come from the BrowserStack team, the hacker’s email to customers stated, “We have no firewalls in place, and our password policies are atrocious. All virtual machines launched are open to the public, accessible to anyone with the alpha password ‘nakula’ on port 5901, a password which is stored in plain text on every VM. As well, our infrastructure uses the same root passwords on all machines, which is also stored in plain text on every VM launched (‘c0stac0ff33’).”
“Given the propensity for cyber criminals to target infrastructure services such as ours, it is almost certain all of your data has been compromised,” the email added.
On Twitter, BrowserStack stated on November 9, 2014, “We did get hacked. Currently sanitizing entire BrowserStack, so service will be down for a while. We’re on top of it & will keep you posted.”
A few hours later, the company added,”The hacker’s access was restricted solely to a list of email addresses. We’ll be back up in a few hours.”
And the following day, BrowserStack tweeted, “We will post a post-mortem of the attack. Currently efforts are focused on getting the service back on track, and protecting user interests.”
Several users remained unconvinced, though — user jcsiegrist tweeted, “hm, how come the Email this morning from browserstack.com came from Amazon SES with DKIM signature?”
Developer Luke Rollans tweeted, “Having a hard time believing this guys, to be honest. I think a formal response to the contents of the email is warranted ASAP.”
That formal response came two days later, with a statement from BrowserStack founders Ritesh Arora and Nakul Aggarwal explaining what happened in detail.
According to Arora and Aggarwal, the hacker leveraged the Shellshock vulnerability to access an old BrowserStack server. “BrowserStack application servers run using Amazon Web Services,” the statement notes. “The configuration is vast, consisting of thousands of servers. One of these was an old prototype machine, which was the target of the breach. The machine had been running since before 2012, and was not in active use. It was penetrated using the shellshock vulnerability, and since it was no longer in active use, it did not have the appropriate patch installed.”
“The old prototype machine had our AWS API access key and secret key,” the founders added. “Once the hacker gained access to the keys, he created an IAM user, and generated a key-pair. He was then able to run an instance inside our AWS account using these credentials, and mount one of our backup disks. This backup was of one of our component services, used for production environment, and contained a config file with our database password. He also whitelisted his IP on our database security group, which is the AWS firewall.”
When the hacker began copying one of BrowserStack’s tables containing partial user information, his action locked the database table and raised alerts on the company’s monitoring system.
BrowserStack’s database logs then confirmed that user data was partially copied, but no user test history was compromised and no credit card details were accessed. “All user passwords are salted, and hashed with the powerful bcrypt algorithm, which creates an irreversible hash which cannot be cracked,” Arora and Aggarwal wrote. “However, as an added precaution, we suggest that users change their BrowserStack account passwords.”
In their statement, the founders responded to each of the hacker’s allegations in detail before acknowledging, “All our servers, running or not, whether in active use or not, should have been patched with the latest security upgrades and updates including the shellshock one. Moreover, servers not in active use should have been stopped and the server shouldn’t have had the AWS keys. Additionally, our communication could have been better. Instead of intermittent updates, we preferred to present a complete, honest picture of the attack to our users once our analysis was done.”
A recent eSecurity Planet article offered advice on how to respond to a data breach — despite the delay, BrowserStack’s honest and detailed statement serves as an excellent example of clear communication following a breach.