Connect with us

Hi, what are you looking for?


Incident Response

BrowserStack Says Hackers Exploited ShellShock Vulnerability

BrowserStack, the cross-browser testing service, has provided more details on the attack in which a hacker gained access to information belonging to some of the company’s customers.

BrowserStack, the cross-browser testing service, has provided more details on the attack in which a hacker gained access to information belonging to some of the company’s customers.

The attacker stole email addresses and used them to send out messages claiming that the company was shutting down after lying to its customers about the security of its services. BrowserStack was forced to suspend its services for several hours following the breach.

BrowserStack provides its services to more than 500,000 developers. The company says the attacker attempted to send out the fake emails to all registered users, but only reached less than 1% of them (roughly 5,000 users).

“BrowserStack application servers run using Amazon Web Services. The configuration is vast, consisting of thousands of servers. One of these was an old prototype machine, which was the target of the breach,” BrowserStack founders Ritesh Arora and Nakul Aggarwal said in a statement on Wednesday.

Arora and Aggarwal said the breached server had been running since 2012, but it was not in active use so it wasn’t properly patched. The attacker leveraged the recently disclosed GNU Bash vulnerability referred to as ShellShock to gain access. Production servers were also targeted with a ShellShock exploit, but the attacks failed because these machines were patched.

“The old prototype machine had our AWS API access key and secret key. Once the hacker gained access to the keys, he created an IAM user, and generated a key-pair. He was then able to run an instance inside our AWS account using these credentials, and mount one of our backup disks. This backup was of one of our component services, used for production environment, and contained a config file with our database password. He also whitelisted his IP on our database security group, which is the AWS firewall,” BrowserStack founders said.

The hacker started copying data from a table containing email addresses, hashed passwords, and last tested URLs. However, his actions were picked up by the company’s monitoring system and his IP was blocked by BrowserStack, but not before he managed to copy a portion of the data. 

BrowserStack has pointed out that the hacker hasn’t gained access to any credit card information since the company users a third-party payment processor and only stores the last four digits of the card number. The company says it’s confident that no other services have been compromised.

Advertisement. Scroll to continue reading.

BrowserStack believes the account passwords obtained by the attacker cannot be cracked since they were salted and hashed with bcrypt, but advises customers to change them as a precaution.

Responding to accusations

 In the fake email sent out to users, the hacker said the service is not as secure as it’s developers claim.

“Not only do all of our administrators have access, but so does the general public. We have no firewalls in place, and our password policies are atrocious. All virtual machines launched are open to the public, accessible to anyone with the alpha password ‘nakula’ on port 5901, a password which is stored in plaintext on every VM. As well, our infrastructure uses the same root passwords on all machines, which is also stored in plaintext on every VM launched (c0stac0ff33),” the hacker wrote.

Arora and Aggarwal have admitted using port 5901 for the VNC server, but denied storing passwords in plaintext on virtual machines. They claim the passwords referenced by the attacker were used at some point, but not any more.

“Both the passwords mentioned, ‘nakula’ and ‘c0stac0ff33’, were indeed in use a couple of years ago during our prototyping phase, and thus were present in the old prototype machine that was hacked,” they said.


On the other hand, the founders admit that it was a mistake to leave the inactive server unattended.

“All our servers, running or not, whether in active use or not, should have been patched with the latest security upgrades and updates including the shellshock one. Moreover, servers not in active use should have been stopped and the server shouldn’t have had the AWS keys,” they noted.

The company has implemented additional security measures following the incident and plans on filing an official complaint with authorities. BrowserStack claims to have “a trace and the IP of the hacker.”

Related Reading: Attackers Exploit ShellShock via SMTP to Distribute Malware

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.