Security Experts:

BrowserStack Says Hackers Exploited ShellShock Vulnerability

BrowserStack, the cross-browser testing service, has provided more details on the attack in which a hacker gained access to information belonging to some of the company's customers.

The attacker stole email addresses and used them to send out messages claiming that the company was shutting down after lying to its customers about the security of its services. BrowserStack was forced to suspend its services for several hours following the breach.

BrowserStack provides its services to more than 500,000 developers. The company says the attacker attempted to send out the fake emails to all registered users, but only reached less than 1% of them (roughly 5,000 users).

"BrowserStack application servers run using Amazon Web Services. The configuration is vast, consisting of thousands of servers. One of these was an old prototype machine, which was the target of the breach," BrowserStack founders Ritesh Arora and Nakul Aggarwal said in a statement on Wednesday.

Arora and Aggarwal said the breached server had been running since 2012, but it was not in active use so it wasn't properly patched. The attacker leveraged the recently disclosed GNU Bash vulnerability referred to as ShellShock to gain access. Production servers were also targeted with a ShellShock exploit, but the attacks failed because these machines were patched.

"The old prototype machine had our AWS API access key and secret key. Once the hacker gained access to the keys, he created an IAM user, and generated a key-pair. He was then able to run an instance inside our AWS account using these credentials, and mount one of our backup disks. This backup was of one of our component services, used for production environment, and contained a config file with our database password. He also whitelisted his IP on our database security group, which is the AWS firewall," BrowserStack founders said.

The hacker started copying data from a table containing email addresses, hashed passwords, and last tested URLs. However, his actions were picked up by the company's monitoring system and his IP was blocked by BrowserStack, but not before he managed to copy a portion of the data. 

BrowserStack has pointed out that the hacker hasn't gained access to any credit card information since the company users a third-party payment processor and only stores the last four digits of the card number. The company says it's confident that no other services have been compromised.

BrowserStack believes the account passwords obtained by the attacker cannot be cracked since they were salted and hashed with bcrypt, but advises customers to change them as a precaution.

Responding to accusations

 In the fake email sent out to users, the hacker said the service is not as secure as it's developers claim.

"Not only do all of our administrators have access, but so does the general public. We have no firewalls in place, and our password policies are atrocious. All virtual machines launched are open to the public, accessible to anyone with the alpha password 'nakula' on port 5901, a password which is stored in plaintext on every VM. As well, our infrastructure uses the same root passwords on all machines, which is also stored in plaintext on every VM launched (c0stac0ff33)," the hacker wrote.

Arora and Aggarwal have admitted using port 5901 for the VNC server, but denied storing passwords in plaintext on virtual machines. They claim the passwords referenced by the attacker were used at some point, but not any more.

"Both the passwords mentioned, ‘nakula’ and ‘c0stac0ff33’, were indeed in use a couple of years ago during our prototyping phase, and thus were present in the old prototype machine that was hacked," they said.

 

On the other hand, the founders admit that it was a mistake to leave the inactive server unattended.

"All our servers, running or not, whether in active use or not, should have been patched with the latest security upgrades and updates including the shellshock one. Moreover, servers not in active use should have been stopped and the server shouldn’t have had the AWS keys," they noted.

The company has implemented additional security measures following the incident and plans on filing an official complaint with authorities. BrowserStack claims to have "a trace and the IP of the hacker."

Related Reading: Attackers Exploit ShellShock via SMTP to Distribute Malware

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.