BrowserStack was hacked
I just received a very strange email from the support account at BrowserStack. I cannot, however, verify the information.
The contents of the email: http://pastebin.com/RQXd2Au3
Can anyone else verify if they've received the email, or what the official word is?
If there's any information from the email itself that I can provide to verify the authenticity of the message, please let me know. I do have a BrowserStack account that I use regularly, and as such find this email to be quite worrisome.
117 comments
[ 3.6 ms ] story [ 194 ms ] threadI filled in a support request with browser stack.
Seems very odd, angry ex member of staff maybe??
Edit: I just double-checked. Previous support@ emails were not sent via AmazonSES. This one was.
We’ll be back soon!
Sorry for the inconvenience but we’re performing some maintenance at the moment. If you need to you can always contact us, otherwise we’ll be back online shortly!
— The Team
What's going on?
... would look for an alternative first! But for now assuming that this is not real, anyone checked if it is real?
(Disclaimer: Former Saucelabs employee. Currently doing other things unrelated and don't keep in touch, but I definitely know the Sauce claims in http://sauceio.com/index.php/2011/09/security-through-purity... are true.)
Every session gets a brand new VM and they have some great automation and manual features.
All VMs are destroyed after each use. It is more expensive to have to restart each time, but we feel it is the right way to do it, and it ensures a clean uncompromised configuration (disclaimer - I am one of the cofounders, so extremely biased :) )
What we are always trying to optimize is the time to the user screen. That is really the expensive part, once the disk reads happen we want a working session on the users screen as quick as we can get it. Or that is the plan anyway. :)
(Disclosure: I'm the co founder.)
... Whether the company will continue to exist after this email is another matter.
[1] https://remote.modern.ie/
>We've partnered with BrowserStack to bring you interactive browser testing on the cloud.
Microsoft still stuck in the 90s.
Don't engage with suspicious emails. Do not attempt to access your account for now. If you have used your Browserstack password elsewhere, go and change it about the place. Watch out for any links from untrusted sources on this subject as they may be malicious.
Hopefully there will be more solid updates soon.
You shouldn't do that anyway, regardless of whether there is an incident afoot or not.
> Do not attempt to access your account for now.
Why not? The horse has bolted. Just assume that it is compromised and that anybody can read over your shoulder. That's probably safest with a service like this anyway.
> If you have used your Browserstack password elsewhere, go and change it about the place.
No, if you've used your Browserstack password elsewhere then you should immediately stop that practice and use different passwords for all the services you use, not just change it everywhere else.
> Watch out for any links from untrusted sources on this subject as they may be malicious.
Links from untrusted sources can always be malicious, and should be treated as such. In general, if you didn't initiate the conversation you have to be wary and you should always verify the source of links in email or other communications (and preferably websites) before you start running their code (aka: clicking on their links).
If you are using Browserstack and if you plan on continuing to use them and/or their competitors make sure you interface with test systems only and make sure those systems do not contain any real (privacy sensitive) user data or other data that might lead to your service being compromised in turn, assume someone is reading over your shoulder at all times. This includes test scripts, especially scripts containing credentials, those should really only live as long as the test session.
http://slashdot.org/submission/3969603/browserstack-compromi...
Up-vote it (+) if you have received the email and you ARE a BrowserStack customer.
I freaked out, watched for 3-4 seconds, and then got kicked out of the session.
I opened a ticket with support, and they got back to me saying they had "fixed the root cause".
I still use browserstack, but I'm really careful with passing along private credentials.
Also the VMs aren't locked down as tightly as they ought to be, last time I poked around in the Windows ones there were a few folders left writeable that shouldn't have been, ones with executables and scripts in used to control it.
That said, their service is so very useful that I continued using them anyway. My use case is just to occasionally check some public-facing websites are rendering properly on various browsers, so no big deal if someone snoops on that.
I raised the issue with them back in July 2013, but was initially brushed off. A couple more aggressive emails and they finally responded after 2 weeks saying the issue had been solved.
Haven't had problems since, but still wary..
It's just as probable that I connected in while the users were idling.
Pity I wasn't fast on a screen capture!
browserling.com
While the email is certainly not legitimate, the subject may very well turn out to be true. Should a company which is indeed so negligent continue to be in business? I guess we will find out.
I agree with the first half of your sentence, but not the rest. A lot can be done and many companies do.
>We did get hacked. Currently sanitising entire BrowserStack, so service will be down for a while. We're on top of it & will keep you posted
https://twitter.com/browserstack/status/531631012493524992
"We’ll be back soon!
Sorry for the inconvenience but we’re performing some maintenance at the moment. If you need to you can always contact us, otherwise we’ll be back online shortly!
— The Team"