Browser Testing Startup BrowserStack Hacked, Question Raised On Security of Its System

What can be the worst nightmare for a startup? Well, nothing other than shutting down its own service. Even the thought of anything like this is problematic for a startup and its customers.

Earlier today, BrowserStack, which offers its customers browser-testing service, was hacked. To make it worse for the startup, hackers sent out emails to its users saying that it is shutting down! Adding on, the mail also mentioned that the company has been lying to everyone about its security.

Here is the mail sent to the users:

Dear BrowserStack User,

We are unfortunately displeased to announce that BrowserStack will be shutting down. After much consideration on our part, we have realized we were negligent in the services we claimed to offer. In our terms of service, we state the following:

[…] after the restoration process is complete, the virtual machines are guaranteed to be tamper-proof.

[…] The machines themselves are in a secure network, and behind strong firewalls to present the safest environment possible.

[…] At any given time, you have sole access to a virtual machine. Your testing session cannot be seen or accessed by other users, including BrowserStack administrators. Once you release a virtual machine, it is taken off the grid, and restored to its initial settings. All your data is destroyed in this process.

Unfortunately, we have blatantly lied. Not only do all of our administrators have access, but so does the general public. We have no firewalls in place, and our password policies are atrocious. All virtual machines launched are open to the public, accessible to anyone with the alpha password \”nakula\” on port 5901, a password which is stored in plaintext on every VM. As well, our infrastructure uses the same root passwords on all machines, which is also stored in plaintext on every VM launched (\”c0stac0ff33\”).

Given the propensity for cyber criminals to target infrastructure services such as ours, it is almost certain all of your data has been compromised. These passwords take no less than 15 minutes to find for anyone who is looking.

We hope we have not caused you too much trouble, and to our enterprise customers who signed deals contracts based on a fabrication, we are equally sorry.

Sincerely,
The BrowserStack Team

Brownstack confirmed the hack via Twitter:

As per the company, “The hacker’s access was restricted solely to a list of email addresses.” It has also advised its users to change their passwords as a precaution.

“We are still in the process of sanitisation, and making doubly sure this situation never re-occurs. We are on top of it, and will post updates as they happen. We will be sharing an entire post-mortem report in the next few days,” company representative told Techcrunch.

However, after sometime all the BrowserStack services were up. But now a lot of questions has been raised by the customers on the security holes in the testing service post this incident.   

BrowserStack has over 25,000 customers including Microsoft, jQuery, Github, eBay, Barclays, Adobe, Visa, and others.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.