BrowserStack, a browser testing service, hacked and compromised, Paste claims it is shutting down

BrowserStack, a browser testing service, hacked and compromised, Paste claims it is shutting down

BrowserStack was today hacked and compromised.  A tweet was made from the BrowserStack account accepting the same. Though at present it is not known how many of user accounts may have been compromised in the hack.

We did get hacked. Currently sanitising entire BrowserStack, so service will be down for a while. We're on top of it & will keep you posted.

— BrowserStack (@browserstack) November 10, 2014

What is BrowserStack?

BrowserStack is a cross-browser testing tool which lets users test public websites and protected servers, on a cloud infrastructure of desktop and mobile browsers. As of today it offers testing of 700 different browsers across 11 different operating systems through the use of virtual machines.Websites can be tested interactively, or through the use of Selenium or JavaScript automated test suites. The features include 700+ real browsers, Local Testing, Screenshots, Responsive, developer tools, and APIs for integration among others.

BrowserStack was founded by Ritesh Arora and Nakul Aggarwal in April 2011, and launched fully in September 2011. It has gained widespread acceptance in the web development community, as of August 2014, there are 25,000 customers and 520,000 registered developers in 130+ countries.  It is a paid service with plans ranging from $39/month through to $399/month and claims to have 25,000 customers including Wikipedia, Ubuntu, Adobe, eBay and Stanford University. Microsoft has also partnered with BrowserStack and advertises their services.

Pastebin Paste

Meanwhile just after the BrowserStack tweeted about it being compromised, a Paste on Pastebin surfaced.  The Paste which is reproduced below says that BrowserStacks lied to its customers about various aspects of security.

Dear BrowserStack User,

We are unfortunately displeased to announce that BrowserStack will be shutting down. After much consideration on our part, we have realized we were negligent in the services we claimed to offer. In our terms of service, we state the following:

[…] after the restoration process is complete, the virtual machines are guaranteed to be tamper-proof.

[…] The machines themselves are in a secure network, and behind strong firewalls to present the safest environment possible.

[…] At any given time, you have sole access to a virtual machine. Your testing session cannot be seen or accessed by other users, including BrowserStack administrators. Once you release a virtual machine, it is taken off the grid, and restored to its initial settings. All your data is destroyed in this process.

Unfortunately, we have blatantly lied. Not only do all of our administrators have access, but so does the general public. We have no firewalls in place, and our password policies are atrocious. All virtual machines launched are open to the public, accessible to anyone with the alpha password “nakula” on port 5901, a password which is stored in plaintext on every VM. As well, our infrastructure uses the same root passwords on all machines, which is also stored in plaintext on every VM launched (“c0stac0ff33”).

Given the propensity for cyber criminals to target infrastructure services such as ours, it is almost certain all of your data has been compromised. These passwords take no less than 15 minutes to find for anyone who is looking.

We hope we have not caused you too much trouble, and to our enterprise customers who signed deals contracts based on a fabrication, we are equally sorry.
Sincerely,
The BrowserStack Team

There are reports that this paste was also sent as an email to many of BrowserStack customers.  It is highly likely that the email may have originated from the hackers who may have all the user ids of the customers.

As of now the BrowserStack website has gone offline and is now displaying a site maintenance message.