BrowserStack is a service that enables it's users to test their websites on over 700 different browsers across 11 different operating systems through the use of virtual machines. It is a paid service with plans ranging from $39/month through to $399/month and claims to have 25,000 customers including Wikipedia, Ubuntu, Adobe, eBay and Stanford University. Microsoft has also partnered with BrowserStack and advertises their services.
As part of the service BrowserStack offers, BrowserStack promises it's users full security measures including that the virtual machines are tamper proof, that the virtual machines are in a secure network behind strong firewalls, and that no other user is able to spy in on the virtual machine-- including BrowserStack's administrators.
Just two hours prior to the time of writing this, someone claiming to represent the BrowserStack team sent out a mass email to it's subscribers informing them that BrowserStack has "blatantly lied" about their security features and will be shutting down. Some of the specific "lies" mentioned include:
- The administrators are able to spy in on the virtual machines
- They have no firewalls in place and their "password policies are atrocious"
- All virtual machines are open to any member of the public which knows the six-letter lower-case completely alphabetical English Noun "alpha password"
- The above password is stored in plaintext in every VM
- Every server in the company's infrastructure uses the same root password which is also stored in plaintext in every VM.
The email goes on to suggest that every user should consider that their data has already been compromised, and then specifically apologizes to BrowserStack's enterprise customers.
"Given the propensity for cyber criminals to target infrastructure services such as ours, it is almost certain all of your data has been compromised. These passwords take no less than 15 minutes to find for anyone who is looking" - Part of the email contents which has been signed as "The BrowserStack Team"
While the contents of the email cannot be verified, some users on HackerNews have commented that the email has come from different servers than other emails they have sent-- the previous emails did not use Amazon's SES, whereas this one has.
BrowserStack has tweeted that they have been compromised and are investigating the issue:
It is very likely that this email is either that of a disgruntled ex-employee or someone who has compromised their servers and decided to use their mailing list as the disclosure method. Whether this is a real disclosure by someone on the BrowserStack team, or whether the claims put forward are true, still remains to be seen. Either way, ever since the emails were sent out, the BrowserStack website has gone offline and is now displaying a site maintenance message.