BrowserStack is a cross-browser testing tool,to test public websites and protected servers,on a cloud infrastructure of desktop and mobile devices.BrowserStack on November 9,2014 at 23:30 GMT suffers a data breach.Currently comapany does not know how many user accounts have been compromised.
BrowserStack responded with the following statement this morning.
BrowserStack is not shutting down. An attacker gained access to a list of user email addresses on BrowserStack on 9 November, 2014 at 23:30 GMT.
We deeply apologise for the concerns that our users have been experiencing due to the attack on BrowserStack. We have determined that the hacker’s access was restricted solely to that list of email addresses. As a precaution, we recommend changing your BrowserStack password.
We are still in the process of sanitisation, and making doubly sure this situation never reoccurs. We are on top of it, and will post updates as they happen.
Thank you for your patience. BrowserStack will be back up in a few hours.
Regards,
Adithya Chadalawada
We did get hacked. Currently sanitising entire BrowserStack, so service will be down for a while. We're on top of it & will keep you posted.
— BrowserStack (@browserstack) November 10, 2014
An Anonymous user said that he have received the following mail from BrowserStack customer care.He posted the following mail on pastebin.Dear BrowserStack User,Today morning BrowserStack website was gone offline and showing a site maintenance message.
We are unfortunately displeased to announce that BrowserStack will be shutting down. After much consideration on our part, we have realized we were negligent in the services we claimed to offer. In our terms of service, we state the following:
[...] after the restoration process is complete, the virtual machines are guaranteed to be tamper-proof.
[...] The machines themselves are in a secure network, and behind strong firewalls to present the safest environment possible.
[...] At any given time, you have sole access to a virtual machine. Your testing session cannot be seen or accessed by other users, including BrowserStack administrators. Once you release a virtual machine, it is taken off the grid, and restored to its initial settings. All your data is destroyed in this process.
Unfortunately, we have blatantly lied. Not only do all of our administrators have access, but so does the general public. We have no firewalls in place, and our password policies are atrocious. All virtual machines launched are open to the public, accessible to anyone with the alpha password "nakula" on port 5901, a password which is stored in plaintext on every VM. As well, our infrastructure uses the same root passwords on all machines, which is also stored in plaintext on every VM launched ("c0stac0ff33").
Given the propensity for cyber criminals to target infrastructure services such as ours, it is almost certain all of your data has been compromised. These passwords take no less than 15 minutes to find for anyone who is looking.
We hope we have not caused you too much trouble, and to our enterprise customers who signed deals contracts based on a fabrication, we are equally sorry.
Sincerely,
The BrowserStack Team
Post a Comment