BrowserStack was hacked

262 points by spiralganglion ↗ HN
I just received a very strange email from the support account at BrowserStack. I cannot, however, verify the information.

The contents of the email: http://pastebin.com/RQXd2Au3

Can anyone else verify if they've received the email, or what the official word is?

If there's any information from the email itself that I can provide to verify the authenticity of the message, please let me know. I do have a BrowserStack account that I use regularly, and as such find this email to be quite worrisome.

117 comments

[ 3.6 ms ] story [ 194 ms ] thread
This sounds like someone got hacked.
How bizarre, that seems like a disgruntled user; even if they were shutting down, they wouldn't word the email that way.
I got it as well, came via an aws account.

I filled in a support request with browser stack.

Seems very odd, angry ex member of staff maybe??

That was my immediate thought. This really does have the tone of a disgruntled (ex-)employee.

Edit: I just double-checked. Previous support@ emails were not sent via AmazonSES. This one was.

Their previous marketing mails were send using Amazon SES. Just like this one successfully signed with DKIM. Looks like the hacker had access to their Amazon SES credentials.
Yeah, looks like angry ex-employee(s)...
Seriously, how could ex-employees be so ignorant though? They are going to get taken to court, and rightfully so.
IANAL, but I'm at least curious whether they'd be willing to take someone to court when the discovery process would likely involve documenting claims of false advertising. Whistleblower laws might also apply. Will be fascinating to watch.
I don't think in India, where Browserstack is based, Whistleblower laws are that strong, the false claims could often be masked as a "flaw" and a bug rather than by design, and hence not sure how it plays out, but I think from the looks of it, if it is an ex-employee, that person is at a riskier position.
Curious as to how you're determining that...?
Do the passwords provided in the mail actually work?
You'd be stupid to try and find out.
If you (with some care) tried against your own instance, I don't think it would be too stupid. At the very least see if there is something listening on port 5901.
(comment deleted)
I don't think that is very fair. You would be able to test it out on your own VM, for instance.
On your own VM?
Is the security claims in the email real? It should be possible to verify relatively easily -- and it should be done soon before they patch the security issues.
And hopefully the patch is more than just "looks like it's time to change the root password"; if the claims in the paste are even remotely true, they have deeper OpSec problems which will take longer than a brief maintenance window to fix...
I don't think there's anyway this is a real email. You'd think they have a little more dignity than this. Revealing ports and passwords is completely insane.
It's definitely not an official email, but that doesn't mean the content is not real.
Oddly enough they are currently down for maintenance...

We’ll be back soon!

Sorry for the inconvenience but we’re performing some maintenance at the moment. If you need to you can always contact us, otherwise we’ll be back online shortly!

— The Team

It was online around the time of OP's post. Looks like they went offline in response to this event.
The browserstack website is currently down for me. Anyone else?
Got that same email. Went to browserstack.com and found a maintenance sign.

What's going on?

i just got this also. Hopefully this isn't true.
I would probably still use them even if this information is true because we never had any important data go through their service (just testing accounts) and because I am not aware of any good alternatives.

... would look for an alternative first! But for now assuming that this is not real, anyone checked if it is real?

I've been using saucelabs for over a year. It's very comparable
Worth mentioning that Saucelabs takes security very seriously. If anything in this email is true (I can't speak to it at all), then I wouldn't use BrowserStack for testing anything connected to my systems. Sauce, on the otherhand, destroys every VM after each use, guaranteeing that you get a known good (and uncompromised) state for each usage. And unlimited manual testing is $10 a month, which is a great price.

(Disclaimer: Former Saucelabs employee. Currently doing other things unrelated and don't keep in touch, but I definitely know the Sauce claims in http://sauceio.com/index.php/2011/09/security-through-purity... are true.)

I've been looking into them for automated testing of our frontend, and their automated testing hours per day looks like the best bang for the buck for our price range.
SauceLabs.com is an excellent alternative.

Every session gets a brand new VM and they have some great automation and manual features.

CrossBrowserTesting.com provides both live testing (over 750+ browsers), automated screenshots, and automated selenium / junit testing.

All VMs are destroyed after each use. It is more expensive to have to restart each time, but we feel it is the right way to do it, and it ensures a clean uncompromised configuration (disclaimer - I am one of the cofounders, so extremely biased :) )

I thought VM snapshotting facilities/copy-on-write made it almost trivial to start with a fresh virgin one every time. With enough RAM on the VM host the changes from one session wouldn't even need to be written to a physical disk.
We never write changes to disk, the code is trivial really. And it always launches from a locked snapshot.

What we are always trying to optimize is the time to the user screen. That is really the expensive part, once the disk reads happen we want a working session on the users screen as quick as we can get it. Or that is the plan anyway. :)

(comment deleted)
Currently attempting to convince our team to switch to you guys (not just because of this event) your service is sooo much faster!
Browserling.com is an alternative.

(Disclosure: I'm the co founder.)

It's hard to belive it's a legit email, more likely their system has been compromised.
Sounds like someone hacked their servers and this is how their version of disclosure.
Sounds like someone didn't like the terms of their severance and decided to hit them hard by exposing some very dirty laundry.
Sounds like someone is likely to never be employed by a software company ever again.
Happened for us as well, definitely got hacked by some joe schmoe, or a disgruntled employee.
(comment deleted)
The tone of the email is very definitely meant to get the end user angry, this is not a true shutdown email or public service announcement of any company that expected to continue to exist / avoid lawsuits.

... Whether the company will continue to exist after this email is another matter.

Yea, I wonder whether there are companies that are really that honest, without the root pw and port numbers of course.
I don't know if they're shutting down, they have to feel the heat somewhat from Microsoft's free IE testing service[1] though. modern.ie still has references to browserstack, but I wonder why.

[1] https://remote.modern.ie/

Too bad that they've partnered with browserstack!

>We've partnered with BrowserStack to bring you interactive browser testing on the cloud.

"you’ll need to download the RemoteApp client"

Microsoft still stuck in the 90s.

curious what would be a 2010s solution, I believe these apps run as if they are on local machine.
Standard post potential security incident rules apply folks.

Don't engage with suspicious emails. Do not attempt to access your account for now. If you have used your Browserstack password elsewhere, go and change it about the place. Watch out for any links from untrusted sources on this subject as they may be malicious.

Hopefully there will be more solid updates soon.

(comment deleted)
> Don't engage with suspicious emails.

You shouldn't do that anyway, regardless of whether there is an incident afoot or not.

> Do not attempt to access your account for now.

Why not? The horse has bolted. Just assume that it is compromised and that anybody can read over your shoulder. That's probably safest with a service like this anyway.

> If you have used your Browserstack password elsewhere, go and change it about the place.

No, if you've used your Browserstack password elsewhere then you should immediately stop that practice and use different passwords for all the services you use, not just change it everywhere else.

> Watch out for any links from untrusted sources on this subject as they may be malicious.

Links from untrusted sources can always be malicious, and should be treated as such. In general, if you didn't initiate the conversation you have to be wary and you should always verify the source of links in email or other communications (and preferably websites) before you start running their code (aka: clicking on their links).

If you are using Browserstack and if you plan on continuing to use them and/or their competitors make sure you interface with test systems only and make sure those systems do not contain any real (privacy sensitive) user data or other data that might lead to your service being compromised in turn, assume someone is reading over your shoulder at all times. This includes test scripts, especially scripts containing credentials, those should really only live as long as the test session.

(comment deleted)
I just got an email that my account was automatically renewed, so I hope not!
Regarding some of the actual claims, I had an issue a year back when I logged into a session, and could perfectly see another user's session in progress, internal url in the browser, mouse moving around.

I freaked out, watched for 3-4 seconds, and then got kicked out of the session.

I opened a ticket with support, and they got back to me saying they had "fixed the root cause".

I still use browserstack, but I'm really careful with passing along private credentials.

I've encountered similar oddities, seeing the remnants of other users' sessions, but no mouse movements so I guess they'd been recently terminated.

Also the VMs aren't locked down as tightly as they ought to be, last time I poked around in the Windows ones there were a few folders left writeable that shouldn't have been, ones with executables and scripts in used to control it.

That said, their service is so very useful that I continued using them anyway. My use case is just to occasionally check some public-facing websites are rendering properly on various browsers, so no big deal if someone snoops on that.

I really saw mouse movement and url typing, even though it was only a few seconds.

I raised the issue with them back in July 2013, but was initially brushed off. A couple more aggressive emails and they finally responded after 2 weeks saying the issue had been solved.

Haven't had problems since, but still wary..

Sorry I didn't mean to sound like I was doubting your account, was intended as a confirmation of your sightings!

It's just as probable that I connected in while the users were idling.

No worries! Just pointing out the fact that they didn't seem too worried about the issue when first notified, and I really had to press to get some attention.

Pity I wasn't fast on a screen capture!

Is there a good browserstack alternative?
I think browserling is a similar service.

browserling.com

Good. Probably no. But there is Saucelabs.
There is, actually; Crossbrowsertesting.com .. it's good.
The only other 2 I could think of is SauceLabs and Rainforest QA.
that happened to customers at a company I worked for. Turned out to be awful handling of threading in a rails app caused sessions to get mixed up.
Same here, in Nov 2011. I contacted support, told them about it, and cancelled my account/sub right away back then -- I was using Browserstack for developing client sites and applications, and didn't feel like getting sued over a service I am using potentially leaking sensitive information.
> BrowserStack is Shutting Down

While the email is certainly not legitimate, the subject may very well turn out to be true. Should a company which is indeed so negligent continue to be in business? I guess we will find out.

They probably got hacked. This happens to the best companies and nothing much can be done about it. I don't think it's fair to call them "so negligent" yet.
> This happens to the best companies and nothing much can be done about it.

I agree with the first half of your sentence, but not the rest. A lot can be done and many companies do.

They just tweeted this:

>We did get hacked. Currently sanitising entire BrowserStack, so service will be down for a while. We're on top of it & will keep you posted

https://twitter.com/browserstack/status/531631012493524992

They're a little less forthcoming on their website:

"We’ll be back soon!

Sorry for the inconvenience but we’re performing some maintenance at the moment. If you need to you can always contact us, otherwise we’ll be back online shortly!

— The Team"

(comment deleted)
Rather than intentional deceit, this is likely their standard down-for-maintenance page that just hasn't been updated to reflect the current situation.
If they don't deliver some kind of post-mortem for this, the problem isn't likely to go away.
I'm not ruling out the possibility that their twitter was compromised, but this is looking bad quickly.
(comment deleted)
doesn't surprise me. easy to open a terminal in their OSX vms and poke around. guessing someone a lot more knowledgable than me could wreak some havoc.
It should be secure to the point they assume all VMs are always compromised, especially given the risky climate online.