14 DAY TRIAL // An unauthorized individual gained access to the BrowserStack computer system and delivered an email to a set of users, warning about the security flaws of the service.
BrowserStack is designed as a cloud infrastructure where web developers can test their websites on different web browsers for desktop and mobile operating systems, which run on virtual machines.
The number of customers reached 25,000 in August and more than half a million developers from across the globe have registered for the service.
Company admits the intrusion, hacker delivers message announcing service shutdown
The officials admitted to the hack incident and said that the service would not be available for a while as the maintainers work on getting it cleaned up.
“We did get hacked. Currently sanitising entire BrowserStack, so service will be down for a while. We're on top of it & will keep you posted,” the company said in a tweet.
Not many details are available about the incident, but the company said in a subsequent message that the attacker managed to get access only to a list of email addresses.
This was actually enough for the hacker, who proceeded to send users an email claiming to be from the BrowserStack team announcing that the service would be terminated because of failing to respect the security promises included in the terms of service document.
The hacker basically accused the company of not being able to guarantee access to the virtual machine only to the tester because of the lack of firewalls and very weak password policy.
The letter from the hacker starts by letting the recipient know that the BrowserStack service will be shutting down. “After much consideration on our part, we have realized we were negligent in the services we claimed to offer,” the hacker writes.
Service relies on only one root password that is easy to find
The intruder goes on to say that not only all BrowserStack administrators have access to the virtual machines used by the testing customers, but anyone else too.
“All virtual machines launched are open to the public, accessible to anyone with the alpha password ‘nakula’ on port 5901, a password which is stored in plaintext on every VM,” the message posted on Pastebin says.
Even more, the attacker claims that BrowserStack relies on the same root password on all machines, which can be found in plain text on every launched virtual machine.
In response, the company says that all efforts go into getting the service up and running again and that a post-mortem of the attack would be provided.
It is unclear if the claims made by the intruder in the email about the weak password policy are true, as no details have been provided by BrowserStack representatives.
We did get hacked. Currently sanitising entire BrowserStack, so service will be down for a while. We're on top of it & will keep you posted.
— BrowserStack (@browserstack) November 10, 2014
The hacker’s access was restricted solely to a list of email addresses. We'll be back up in a few hours. Sincere apologies.
— BrowserStack (@browserstack) November 10, 2014
We will post a post-mortem of the attack. Currently efforts are focused on getting the service back on track, and protecting user interests.
— BrowserStack (@browserstack) November 10, 2014
[UPDATE]: Snehal Patel of BrowserStack used the comments section below to inform that the service is about to be restored; Automate and Screenshot services are already up and running, users will be alerted of full restoration via email.
[UPDATE, November 11]: All BrowserStack services are now up and running.