
BrowserStack was hacked - spiralganglion
I just received a very strange email from the support account at BrowserStack. I cannot, however, verify the information.<p>The contents of the email: http:&#x2F;&#x2F;pastebin.com&#x2F;RQXd2Au3<p>Can anyone else verify if they&#x27;ve received the email, or what the official word is?<p>If there&#x27;s any information from the email itself that I can provide to verify the authenticity of the message, please let me know. I do have a BrowserStack account that I use regularly, and as such find this email to be quite worrisome.
======
rm999
They just tweeted this:

>We did get hacked. Currently sanitising entire BrowserStack, so service will
be down for a while. We're on top of it & will keep you posted

[https://twitter.com/browserstack/status/531631012493524992](https://twitter.com/browserstack/status/531631012493524992)

~~~
JohnTHaller
They're a little less forthcoming on their website:

"We’ll be back soon!

Sorry for the inconvenience but we’re performing some maintenance at the
moment. If you need to you can always contact us, otherwise we’ll be back
online shortly!

— The Team"

~~~
macNchz
Rather than intentional deceit, this is likely their standard down-for-
maintenance page that just hasn't been updated to reflect the current
situation.

------
ladynerd
Standard post potential security incident rules apply folks.

Don't engage with suspicious emails. Do not attempt to access your account for
now. If you have used your Browserstack password elsewhere, go and change it
about the place. Watch out for any links from untrusted sources on this
subject as they may be malicious.

Hopefully there will be more solid updates soon.

~~~
jacquesm
> Don't engage with suspicious emails.

You shouldn't do that anyway, regardless of whether there is an incident afoot
or not.

> Do not attempt to access your account for now.

Why not? The horse has bolted. Just assume that it is compromised and that
anybody can read over your shoulder. That's probably safest with a service
like this anyway.

> If you have used your Browserstack password elsewhere, go and change it
> about the place.

No, if you've used your Browserstack password elsewhere then you should
_immediately stop that practice_ and use different passwords for _all_ the
services you use, not just change it everywhere else.

> Watch out for any links from untrusted sources on this subject as they may
> be malicious.

Links from untrusted sources can _always_ be malicious, and should be treated
as such. In general, if you didn't initiate the conversation you have to be
wary and you should _always_ verify the source of links in email or other
communications (and preferably websites) before you start running their code
(aka: clicking on their links).

If you are using Browserstack and if you plan on continuing to use them and/or
their competitors make sure you interface with test systems only and make sure
those systems do not contain any real (privacy sensitive) user data or other
data that might lead to your service being compromised in turn, assume someone
is reading over your shoulder at all times. This includes test scripts,
especially scripts containing credentials, those should really only live as
long as the test session.

------
globile
Regarding some of the actual claims, I had an issue a year back when I logged
into a session, and could perfectly see another user's session in progress,
internal url in the browser, mouse moving around.

I freaked out, watched for 3-4 seconds, and then got kicked out of the
session.

I opened a ticket with support, and they got back to me saying they had "fixed
the root cause".

I still use browserstack, but I'm really careful with passing along private
credentials.

~~~
aagha
Is there a good browserstack alternative?

~~~
vaidik
Good. Probably no. But there is Saucelabs.

~~~
bybjorn
There is, actually; Crossbrowsertesting.com .. it's good.

------
defied
This is why we at [http://testingbot.com](http://testingbot.com) provide a
pristine virtual machine every single time when offering browser testing.

After the test is done, libvirt destroys the machine to make sure nobody else
can see what you did with the virtual machine during testing.

~~~
conradk
Wow, that's just wrong... really?

~~~
cududa
How is it wrong? If someone was promoting their product in conjunction to some
loss of life, or tragedy, that would be wrong.

A service is proven unsecure, so a founder provides his companies alternative
product.

~~~
conradk
@defied is basing his promotion of his/her product on an email from a hacker.
BrowserStack hasn't yet explained what happened exactly. That means that
he/she believes the email from the attacker? This is just wrong. He/she is
trying to use an event he/she might know nothing about.

Even huge companies like Google get hacked. So saying that you can do better
just because someone got hacked is just ridiculous. It's about how the hack
was handled and what information was disclosed that matters IMO. From what
BrowserStack says, it seems like only a few emails addresses were disclosed.
I'm not saying that this is bad. But this could have happened to any other
company. Everything in the fake email is probably bull---- (has anyone tried
to find out if anything in it was true?).

~~~
iancarroll
They've confirmed via Twitter this happened. If a company has a serious
security breach requiring them to take their entire fleet of servers offline,
I'd say it's prime time for advertising a competitor.

~~~
conradk
Yes, they did. But as I said, they didn't given much detail. But they did say
that only a few emails were disclosed. If you call that "serious", then OK,
but it could be much worse. The competitor is just profiting from something no
one has any real information about and is basing himself on an email sent by a
hacker: great!

------
chx
The port the pastebin claims is VNC. BrowserStack has a VNC repo and one of
the two contributors to it
[https://github.com/browserstack/OSXVNC/graphs/contributors](https://github.com/browserstack/OSXVNC/graphs/contributors)
has the same github handle as the alleged VNC password.

Putting said nick and VNC into Google also finds emails from quite probably
the same person to some VNC email lists.

I am not saying the pastebin is right but this makes one wonder.

Also, the VNC password -- at least by default tools -- indeed is stored in
plaintext (see
[http://linux.die.net/man/1/vncpasswd](http://linux.die.net/man/1/vncpasswd)
"Note that the stored password is not encrypted securely"). It should be
readable by the owner only, however.

------
snehalvpatel86
We deeply apologise for the concerns that our users have been experiencing due
to the attack on BrowserStack. We have determined that the hacker's access has
been restricted solely to a list of email addresses. As a precaution, we
recommend changing your BrowserStack password.

We are still in the process of sanitisation, and making doubly sure this
situation never reoccurs. We are on top of it, and will post updates as they
happen. Thank you for your patience. BrowserStack will be back up in a few
hours.

-Snehal@BrowserStack

~~~
lenniez
The mail was sent from Amazon SES. To be able to send email from your domain
they had to verify it. TXT _amazonses.browserstack.com doesn't show any record
for verification. How could the hacker that had solely access to a list of
email addresses verify your domain?

~~~
snehalvpatel86
We will be sharing an entire post-mortem in the next few days. Currently, all
our efforts are focused on getting the service up and running and to ensure
our users’ interests are taken care of.

~~~
jacquesm
> and to ensure our users’ interests are taken care of.

Every time I see that line I know that 'users interests are _not_ currently
taken care of'. If it were you'd be taking the GP a bit more serious, he's
supposedly one of those users you're trying to take care of. If all you're
going to do here is to say 'nothing to see here folks and we're on top of it'
then you might as well say nothing.

------
pudquick
The tone of the email is very definitely meant to get the end user angry, this
is not a true shutdown email or public service announcement of any company
that expected to continue to exist / avoid lawsuits.

... Whether the company will continue to exist after this email is another
matter.

~~~
yuhong
Yea, I wonder whether there are companies that are really that honest, without
the root pw and port numbers of course.

------
jacquesm
This email spells 'bad leaver' all over. Besides that, even if it is a bad
leaver you'd hope that what's in that email isn't the truth but enough users
of browserstack have at least partially verified the truth of some of the
claims.

Browserstack is a very useful service, and it would be a pity to see them go.
That said, if the claims in the email are true then they deserve to be
replaced. Note how the email strikes right at the heart of the trust
relationship between browserstack and their customers, that's a very sensitive
spot for a company like this and it will take some iron clad and independently
verified claims to restore that confidence.

In the end the email may turn out to be prophetic in that it will in fact
cause browserstack to shut down.

The handwavy 'we're on top of it and we'll keep you posted' doesn't do much to
reassure, they're clearly _not_ on top of it (if they were this would have
never happened).

------
Igglyboo
Sounds like someone hacked their servers and this is how their version of
disclosure.

~~~
jacquesm
Sounds like someone didn't like the terms of their severance and decided to
hit them hard by exposing some very dirty laundry.

~~~
njovin
Sounds like someone is likely to never be employed by a software company ever
again.

------
BenjaminBunny
I got it as well, came via an aws account.

I filled in a support request with browser stack.

Seems very odd, angry ex member of staff maybe??

~~~
gantengx
Yeah, looks like angry ex-employee(s)...

~~~
nodesocket
Seriously, how could ex-employees be so ignorant though? They are going to get
taken to court, and rightfully so.

~~~
jamesaguilar
IANAL, but I'm at least curious whether they'd be willing to take someone to
court when the discovery process would likely involve documenting claims of
false advertising. Whistleblower laws might also apply. Will be fascinating to
watch.

~~~
codeN
I don't think in India, where Browserstack is based, Whistleblower laws are
that strong, the false claims could often be masked as a "flaw" and a bug
rather than by design, and hence not sure how it plays out, but I think from
the looks of it, if it is an ex-employee, that person is at a riskier
position.

------
sagarapatil
All BrowserStack services are now up and running. We are keeping a strong
check on the system and will email all users the entire analysis.

Sagar @BrowserStack

------
timedoctor
I would probably still use them even if this information is true because we
never had any important data go through their service (just testing accounts)
and because I am not aware of any good alternatives.

... would look for an alternative first! But for now assuming that this is not
real, anyone checked if it is real?

~~~
tonetheman
CrossBrowserTesting.com provides both live testing (over 750+ browsers),
automated screenshots, and automated selenium / junit testing.

All VMs are destroyed after each use. It is more expensive to have to restart
each time, but we feel it is the right way to do it, and it ensures a clean
uncompromised configuration (disclaimer - I am one of the cofounders, so
extremely biased :) )

~~~
userbinator
I thought VM snapshotting facilities/copy-on-write made it almost trivial to
start with a fresh virgin one every time. With enough RAM on the VM host the
changes from one session wouldn't even need to be written to a physical disk.

~~~
tonetheman
We never write changes to disk, the code is trivial really. And it always
launches from a locked snapshot.

What we are always trying to optimize is the time to the user screen. That is
really the expensive part, once the disk reads happen we want a working
session on the users screen as quick as we can get it. Or that is the plan
anyway. :)

------
Cub3
Here come the articles:

[http://www.neowin.net/news/browserstack-a-browser-testing-
se...](http://www.neowin.net/news/browserstack-a-browser-testing-service-
appears-to-have-been-significantly-compromised)

------
8ig8
Oddly enough they are currently down for maintenance...

We’ll be back soon!

Sorry for the inconvenience but we’re performing some maintenance at the
moment. If you need to you can always contact us, otherwise we’ll be back
online shortly!

— The Team

~~~
DevX101
It was online around the time of OP's post. Looks like they went offline in
response to this event.

------
bhouston
Is the security claims in the email real? It should be possible to verify
relatively easily -- and it should be done soon before they patch the security
issues.

~~~
xzlzx
I don't think there's anyway this is a real email. You'd think they have a
little more dignity than this. Revealing ports and passwords is completely
insane.

~~~
disordinary
It's definitely not an official email, but that doesn't mean the content is
not real.

~~~
xzlzx
Very true.

------
dsr12
Do the passwords provided in the mail actually work?

~~~
13
You'd be stupid to try and find out.

~~~
jpgoldberg
If you (with some care) tried against your own instance, I don't think it
would be too stupid. At the very least see if there is something listening on
port 5901.

------
DevX101
This sounds like someone got hacked.

------
swartkrans
I don't know if they're shutting down, they have to feel the heat somewhat
from Microsoft's free IE testing service[1] though. modern.ie still has
references to browserstack, but I wonder why.

[1] [https://remote.modern.ie/](https://remote.modern.ie/)

~~~
itry
"you’ll need to download the RemoteApp client"

Microsoft still stuck in the 90s.

~~~
dummyfellow
curious what would be a 2010s solution, I believe these apps run as if they
are on local machine.

------
MalcolmDiggs
How bizarre, that seems like a disgruntled user; even if they _were_ shutting
down, they wouldn't word the email that way.

------
praveenrajan
Prevention is better than Cure, So better to find alternative solution. There
is a secure storage software called basefolder
([http://www.basefolder.com](http://www.basefolder.com))

------
Kroshn
Got that same email. Went to browserstack.com and found a maintenance sign.

What's going on?

------
snehalvpatel86
Automate and Screenshot services are up and running. Live will shortly be up
as well. We will be emailing all our users with the entire analysis of the
attack soon. Thank you for your patience.

-Snehal @ BrowserStack

------
BorisMelnik
Don't want to overstate the obvious but this seems personally motivated. The
whole password policy thing sounds reasonable, but don't most admins have
access to pretty much everything?

~~~
freshflowers
There's no reason for admins to have access to temporary VM's that are created
for the sole reason of running browser tests.

It also makes incidents like this much harder to happen in the first place.

------
m1stert
doesn't surprise me. easy to open a terminal in their OSX vms and poke around.
guessing someone a lot more knowledgable than me could wreak some havoc.

~~~
grrowl
It should be secure to the point they assume all VMs are always compromised,
especially given the risky climate online.

------
general_failure
I guess that's the death knell for browserstack :-(? I am always worried that
something like this happens to all those cloud providers out there...

------
nodesocket
Could you post the entire raw message headers? Interested to see if it was
sent from Amazon simple email service.

------
munimkazia
Considering that they are actively hiring in their Mumbai office, I really
doubt that they are shutting down.

------
uladzislau
It's hard to belive it's a legit email, more likely their system has been
compromised.

------
sbolak
Happened for us as well, definitely got hacked by some joe schmoe, or a
disgruntled employee.

------
disordinary
Back online now, hopefully some information will be forthcoming.

------
smathieu
The browserstack website is currently down for me. Anyone else?

------
pdknsk
> BrowserStack is Shutting Down

While the email is certainly not legitimate, the subject may very well turn
out to be true. Should a company which is indeed so negligent continue to be
in business? I guess we will find out.

~~~
sysk
They probably got hacked. This happens to the best companies and nothing much
can be done about it. I don't think it's fair to call them "so negligent" yet.

~~~
pdknsk
> This happens to the best companies and nothing much can be done about it.

I agree with the first half of your sentence, but not the rest. A lot can be
done and many companies do.

------
jtchang
That email looks like a very targeted email.

------
haridas
Man...this looks like insider attack. This much targeted attack is very rare
to a company like this !. Hope they will resolve it as early as possible.

~~~
meowface
Well, if what the perpetrator says in the email is actually true, it looks
like it would've been very easy for any customer to gain the same level of
unauthorized access.

------
general_failure
If this is a disgruntled employee, this has to be the stupidest move ever on
his/her part. He will definitely be jailed for this

------
akurland
i just got this also. Hopefully this isn't true.

------
WorldWideWayne
I just got an email that my account was automatically renewed, so I hope not!

------
darrough
I just got this too.

------
algofoogle
I have received the same email notification, and submitted a story to
Slashdot:

[http://slashdot.org/submission/3969603/browserstack-
compromi...](http://slashdot.org/submission/3969603/browserstack-compromised)

Up-vote it (+) if you have received the email and you ARE a BrowserStack
customer.

