HackDig : Dig high-quality web security articles for hacker

BrowserStack Hacked, Attacker Sends Email Pointing Out Security Fails

2014-11-10 10:25

An unauthorized individual gained access to the BrowserStack computer system and delivered an email to a set of users, warning about the security flaws of the service.

BrowserStack is designed as a cloud infrastructure where web developers can test their websites on different web browsers for desktop and mobile operating systems, which run on virtual machines.

The number of customers reached 25,000 in August and more than half a million developers from across the globe have registered for the service.

Company admits the intrusion, hacker delivers message announcing service shutdown

The officials admitted to the hack incident and said that the service would not be available for a while as the maintainers work on getting it cleaned up.

“We did get hacked. Currently sanitising entire BrowserStack, so service will be down for a while. We're on top of it & will keep you posted,” the company said in a tweet.

Not many details are available about the incident, but the company said in a subsequent message that the attacker managed to get access only to a list of email addresses.

This was actually enough for the hacker, who proceeded to send users an email claiming to be from the BrowserStack team announcing that the service would be terminated because of failing to respect the security promises included in the terms of service document.

The hacker basically accused the company of not being able to guarantee access to the virtual machine only to the tester because of the lack of firewalls and very weak password policy.

The letter from the hacker starts by letting the recipient know that the BrowserStack service will be shutting down. “After much consideration on our part, we have realized we were negligent in the services we claimed to offer,” the hacker writes.

Service relies on only one root password that is easy to find

The intruder goes on to say that not only all BrowserStack administrators have access to the virtual machines used by the testing customers, but anyone else too.

“All virtual machines launched are open to the public, accessible to anyone with the alpha password ‘nakula’ on port 5901, a password which is stored in plaintext on every VM,” the message posted on Pastebin says.

Even more, the attacker claims that BrowserStack relies on the same root password on all machines, which can be found in plain text on every launched virtual machine.

In response, the company says that all efforts go into getting the service up and running again and that a post-mortem of the attack would be provided.

It is unclear if the claims made by the intruder in the email about the weak password policy are true, as no details have been provided by BrowserStack representatives.
   


Source: 2UtIXZrNWY0RXQtQWZrNWYI1yajFGdTJXZzd3byJ0LzdXZu9SbvNmLhlGZlBHdm92cuM3dl52LvoDc0RHa/ca.ssr.dps

Read:1628 | Comments:0 | Tags:Hacking News

“BrowserStack Hacked, Attacker Sends Email Pointing Out Security Fails”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud