Cross Browser Testing Website BrowserStack.com Hacked

Cross Browser Testing Website BrowserStack.com Hacked

Hackers were able to gain unauthorized access to BrowserStack's servers and send a fake email message claiming that BrowserStack is shutting down (see below) to approximately 5000 of their users. The cyber-attack took place on November 9, 2014, which caused BrowseStack to temporarily take down their services for several hours in order to protect their users. Hackers were able to gain access via an old, inactive and unpatched computer using the Shellshock vulnerability.

Although BrowserStack encrypts their users' passwords with a very powerful encryption technology, which they claim cannot be decrypted or crack, they are recommending that their users change your passwords as a precautionary measure.

BrowserStack has sent an email to all of its users, notifying and educating them about the security breach.

BrowserStack Notification Email Message

Subject: Apologies for the downtime, but we're coming back stronger.

Dear ,

As you may already know, BrowserStack experienced an attack on 9th November, 2014 at 23:30 GMT during which an individual was able to gain unauthorized access to some of our users’ registered email addresses. He then tried to send an email to all our registered users, but he was only able to reach less than 1% (our estimate is 5,000 users). The email contained inaccurate information, even claiming that BrowserStack would be shutting down.

When we realized this, our only concern was to protect our users. This involved temporarily taking down the service, as we scrutinized each component carefully. This inconvenienced our users for several hours, and for that we are truly sorry.

What happened?

BrowserStack application servers run using Amazon Web Services. The configuration is vast, consisting of thousands of servers. One of these was an old prototype machine, which was the target of the breach.

The machine had been running since before 2012, and was not in active use. It was penetrated using the shellshock vulnerability, and since it was no longer in active use, it did not have the appropriate patch installed.

The old prototype machine had our AWS API access key and secret key. Once the hacker gained access to the keys, he created an IAM user, and generated a key-pair. He was then able to run an instance inside our AWS account using these credentials, and mount one of our backup disks. This backup was of one of our component services, used for production environment, and contained a config file with our database password. He also whitelisted his IP on our database security group, which is the AWS firewall.

He began to copy one of our tables, which contained partial user information, including email IDs, hashed passwords, and last tested URL. His copy operation locked the database table, which raised alerts on our monitoring system. On receiving the alerts, we checked the logs, saw an unrecognized IP, and blocked it right away.in that time, the hacker had been able to retrieve only a portion of the data. Finally, using this data and the SES credentials, he was able to send an email to some of our users.

What was the extent of the damage?

Our database logs confirmed that user data was partially copied, but no user test history was compromised. Therefore all user data remains wholly intact. Most crucially, credit card details were not compromised, as we only store the last 4 digits of the credit card number, and all payment processing takes place through our payment processing partner. All user passwords are salted, and encrypted with the powerful bcrypt algorithm, which creates an irreversible hash which cannot be cracked. However, as an added precaution, we suggest that users change their BrowserStack account passwords.

We were able to verify the actions of the hacker using AWS CloudTrail, which confirmed that no other services were compromised, no other machines were booted, and our AMIs and other data stores were not copied.

In addition, our production web server logs indicate that we were experiencing shellshock attempts, but they failed because the production web server has the necessary patches to foil all such attempts.

Points in the email

We would now like to address the points raised in the email. The hacker quoted three paragraphs from our Security documentation, as follows:

after the restoration process is complete, the virtual machines are guaranteed to be tamper-proof. ? Our restoration process is indeed tamper-proof. When we create a test machine from scratch, we take a snapshot. After every user session, the test machine is restored to its original state using that snapshot. Even if a previous user manages to install a malicious software, it is always erased due to the restoration process.

The machines themselves are in a secure network, and behind strong firewalls to present the safest environment possible. ? Every single machine has an OS firewall, in addition to the hardware network firewalls we use. On EC2, we use security groups as an equivalent safety measure. We also use industry-standard brute force-throttling measures.

At any given time, you have sole access to a virtual machine. Your testing session cannot be seen or accessed by other users, including BrowserStack administrators. Once you release a virtual machine, it is taken off the grid, and restored to its initial settings. All your data is destroyed in this process. ? The application ensures that a machine is allocated to only one person at a time, and VNC passwords are randomly generated for each session. Thus, even our administrators cannot see your test session.

With respect to the plaintext passwords on the VMs, this is certainly not the case, as we moved to key-based authentication years ago. Moreover root login is disabled in our SSH configuration.

Both the passwords mentioned, ‘nakula’ and ‘c0stac0ff33’, were indeed in use a couple of years ago during our prototyping phase, and thus were present in the old prototype machine that was hacked. ‘nakula’ was previously our VNC password, and was hashed. However, unlike the hash used for the user passwords, this hash is much weaker. This was due to a limitation in VNC protocol, and we had overcome this liability by regenerating a new password for every session, and thus ‘nakula’ has not been in use for years. ‘c0stac0ff33’ was one of our system user passwords on the prototype machine, before we moved to key-based authentication.

It is true that we still run our VNC server on port 5901, but we do not believe that it is a security vulnerability because a current password is still required for access. As mentioned before, the passwords are changed every test session.

Where did we go wrong?

All our servers, running or not, whether in active use or not, should have been patched with the latest security upgrades and updates including the shellshock one. Moreover, servers not in active use should have been stopped and the server shouldn’t have had the AWS keys.

Additionally, our communication could have been better.instead of intermittent updates, we preferred to present a complete, honest picture of the attack to our users once our analysis was done.

Security measures taken to mitigate and prevent further incidents

After taking down the service, we revoked all the existing AWS keys and passwords, and generated new ones immediately, as an added security measure.

Subsequently, we went through all the SSH logs, web server logs, as well as AWS Cloud Trail logs, to ensure that no more damage was done.

We are migrating all backups to encrypted backups, and removing all unencrypted ones.

We have also put in several additional checks and alerts, which are triggered on specified AWS actions. As a precautionary measure we have also created new VM snapshots and have replaced all the existing ones.

To prevent further incidents, we are in the process of evaluating certain VPC/VPN options to enhance our security measures.

We’re going to have a security audit conducted by an external, independent agency.

Once again we apologise for the inconvenience. BrowserStack is deeply committed to providing the best and most secure testing infrastructure for our users. We will be forging ahead with exciting new releases in the next few weeks and look forward to continue serving you.

We have a trace and the IP of the hacker. We will be in touch with authorities soon to register an official complaint. Thank you for the support and understanding we have received over the last few days.

Sincerely,

Ritesh and Nakul
Founders, BrowserStack

The Fake BrowserStack Email Message Sent by Hackers

Dear BrowserStack User,

We are unfortunately displeased to announce that BrowserStack will be shutting down. After much consideration on our part, we have realized we were negligent in the services we claimed to offer.in our terms of service, we state the following:

[...] after the restoration process is complete, the virtual machines are guaranteed to be tamper-proof.

[...] The machines themselves are in a secure network, and behind strong firewalls to present the safest environment possible.

[...] At any given time, you have sole access to a virtual machine. Your testing session cannot be seen or accessed by other users, including BrowserStack administrators. Once you release a virtual machine, it is taken off the grid, and restored to its initial settings. All your data is destroyed in this process.

Unfortunately, we have blatantly lied. Not only do all of our administrators have access, but so does the general public. We have no firewalls in place, and our password policies are atrocious. All virtual machines launched are open to the public, accessible to anyone with the alpha password "nakula" on port 5901, a password which is stored in plaintext on every VM. As well, our infrastructure uses the same root passwords on all machines, which is also stored in plaintext on every VM launched ("c0stac0ff33").

Given the propensity for cyber criminals to target infrastructure services such as ours, it is almost certain all of your data has been compromised. These passwords take no less than 15 minutes to find for anyone who is looking.

We hope we have not caused you too much trouble, and to our enterprise customers who signed deals contracts based on a fabrication, we are equally sorry.

Sincerely,

The BrowserStack Team

Check the comment section below for additional information, share what you know, or ask a question about this article by leaving a comment below. And, to quickly find answers to your questions, use our search engine.Search
Was this article helpful?
Comments, Questions, Answers, or Reviews
To protect your privacy, please remove sensitive or identifiable information from your comments, questions, or reviews. Please keep conversations courteous and on-topic.

Write commentWrite your comment or view the ones below.


Write Your Comment, Question, Answer, or Review

Online Threat Alerts Security Tips

Pay the safest way

Credit cards are the safest way to pay for online purchases because you can dispute the charges if you never get the goods or services or if the offer was misrepresented. Federal law limits your liability to $50 if someone makes unauthorized charges to your account, and most credit card issuers will remove them completely if you report the problem promptly.

Guard your personal information

In any transaction you conduct, make sure to check with your state or local consumer protection agency and the Better Business Bureau (BBB) to see if the seller, charity, company, or organization is credible. Be especially wary if the entity is unfamiliar to you. Always call the number found on a website’s contact information to make sure the number legitimately belongs to the entity you are dealing with.

Be careful of the information you share

Never give out your codes, passwords or personal information, unless you are sure of who you're dealing with

Know who you’re dealing with

Crooks pretending to be from companies you do business with may call or send an email, claiming they need to verify your personal information. Don’t provide your credit card or bank account number unless you are actually paying for something and know who you are sending payment to. Your social security number should not be necessary unless you are applying for credit. Be especially suspicious if someone claiming to be from a company with whom you have an account asks for information that the business already has.

Check your accounts

Regularly check your account transactions and report any suspicious or unauthorised transactions.

Don’t believe promises of easy money

If someone claims that you can earn money with little or no work, get a loan or credit card even if you have bad credit, or make money on an investment with little or no risk, it’s probably a scam. Oftentimes, offers that seem too good to be true, actually are too good to be true.

Do not open email from people you don’t know

If you are unsure whether an email you received is legitimate, try contacting the sender directly via other means. Do not click on any links in an email unless you are sure it is safe.

Think before you click

If an email or text message looks suspicious, don’t open any attachments or click on the links.

Verify urgent requests or unsolicited emails, messages or phone calls before you respond

If you receive a message or a phone call asking for immediate action and don't know the sender, it could be a phishing message.

Be careful with links and new website addresses

Malicious website addresses may appear almost identical to legitimate sites. Scammers often use a slight variation in spelling or logo to lure you. Malicious links can also come from friends whose email has unknowingly been compromised, so be careful.

Secure your personal information

Before providing any personal information, such as your date of birth, Social Security number, account numbers, and passwords, be sure the website is secure.

Stay informed on the latest cyber threats

Keep yourself up to date on current scams by visiting this website daily.

Use Strong Passwords

Strong passwords are critical to online security.

Keep your software up to date and maintain preventative software programs

Keep all of your software applications up to date on your computers and mobile devices. Install software that provides antivirus, firewall, and email filter services.

Update the operating systems on your electronic devices

Make sure your operating systems (OSs) and applications are up to date on all of your electronic devices. Older and unpatched versions of OSs and software are the target of many hacks. Read the CISA security tip on Understanding Patches and Software Updates for more information.

What if You Got Scammed?

Stop Contact With The Scammer

Hang up the phone. Do not reply to emails, messages, or letters that the scammer sends. Do not make any more payments to the scammer. Beware of additional scammers who may contact you claiming they can help you get your lost money back.

Secure Your Finances

  • Report potentially compromised bank account, credit or debit card information to your financial institution(s) immediately. They may be able to cancel or reverse fraudulent transactions.
  • Notify the three major credit bureaus. They can add a fraud alert to warn potential credit grantors that you may be a victim of identity theft. You may also want to consider placing a free security freeze on your credit report. Doing so prevents lenders and others from accessing your credit report entirely, which will prevent them from extending credit:

Check Your Computer

If your computer was accessed or otherwise affected by a scam, check to make sure that your anti-virus is up-to-date and running and that your system is free of malware and keylogging software. You may also need to seek the help of a computer repair company. Consider utilizing the Better Business Bureau’s website to find a reputable company.

Change Your Account Passwords

Update your bank, credit card, social media, and email account passwords to try to limit further unauthorized access. Make sure to choose strong passwords when changing account passwords.

Report The Scam

Reporting helps protect others. While agencies can’t always track down perpetrators of crimes against scammers, they can utilize the information gathered to record patterns of abuse which may lead to action being taken against a company or industry.

Report your issue to the following agencies based on the nature of the scam:

  • Local Law Enforcement: Consumers are encouraged to report scams to their local police department or sheriff’s office, especially if you lost money or property or had your identity compromised.
  • Federal Trade Commission: Contact the Federal Trade Commission (FTC) at 1-877-FTC-HELP (1-877-382-4357) or use the Online Complaint Assistant to report various types of fraud, including counterfeit checks, lottery or sweepstakes scams, and more.
  • Identitytheft.gov: If someone is using your personal information, like your Social Security, credit card, or bank account number, to open new accounts, make purchases, or get a tax refund, report it at www.identitytheft.gov. This federal government site will also help you create your Identity Theft Report and a personal recovery plan based on your situation. Questions can be directed to 877-ID THEFT.

How To Recognize a Phishing Scam

Scammers use email or text messages to try to steal your passwords, account numbers, or Social Security numbers. If they get that information, they could get access to your email, bank, or other accounts. Or they could sell your information to other scammers. Scammers launch thousands of phishing attacks like these every day — and they’re often successful.

Scammers often update their tactics to keep up with the latest news or trends, but here are some common tactics used in phishing emails or text messages:

Phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment. You might get an unexpected email or text message that looks like it’s from a company you know or trust, like a bank or a credit card or utility company. Or maybe it’s from an online payment website or app. The message could be from a scammer, who might

  • say they’ve noticed some suspicious activity or log-in attempts — they haven’t
  • claim there’s a problem with your account or your payment information — there isn’t
  • say you need to confirm some personal or financial information — you don’t
  • include an invoice you don’t recognize — it’s fake
  • want you to click on a link to make a payment — but the link has malware
  • say you’re eligible to register for a government refund — it’s a scam
  • offer a coupon for free stuff — it’s not real

About Online Threat Alerts (OTA)

Online Threat Alerts or OTA is an anti-cybercrime community that started in 2012. OTA alerts the public to cyber crimes and other web threats.

By alerting the public, we have prevented a lot of online users from getting scammed or becoming victims of cybercrimes.

With the ever-increasing number of people going online, it important to have a community like OTA that continuously alerts or protects those same people from cyber-criminals, scammers and hackers, who are every day finding new ways of carrying out their malicious activities.

Online users can help by reporting suspicious or malicious messages or websites to OTA. And, if they want to determine if a message or website is a threat or scam, they can use OTA's search engine to search for the website or parts of the message for information.

Help maintain Online Threat Alerts (OTA).

Cross Browser Testing Website BrowserStack.com Hacked