The “BrowserStack is Shutting Down” Email That Turned Out to be not True
Today, I was very sad to receive an email that said one of our favorite services we pay for, BrowserStack, was shutting down. I was curios why they would do such a thing since they seem to be pretty successful. So, I started reading the whole email. I was expecting one of those post mortems about how things did not work out.
Until I read this paragraph:
Unfortunately, we have blatantly lied. Not only do all of our administrators have access, but so does the general public. We have no firewalls in place, and our password policies are atrocious. All virtual machines launched are open to the public, accessible to anyone with the alpha password…
I first thought either they are very honest or they have a disgruntled employee. If they were so honest and aware of their mistake, why would they shutdown the service instead of fixing things in the first place.
So, I googled it and found this tweet:
https://twitter.com/browserstack/status/531631012493524992
It turns out someone hacked their system and decided to out their security mistakes.
Every crisis is also an opportunity. This is a good opportunity for them to take security more seriously, and improve things permanently. They should fully and publicly admit any mistakes they have made and tell users what steps they will take to improve things, and they should then follow it through. Things might suck at the beginning but the end result would eventually be a win for both Browserstack and their users.
Here is the full email:
Dear BrowserStack User,
We are unfortunately displeased to announce that BrowserStack will be shutting down. After much consideration on our part, we have realized we were negligent in the services we claimed to offer. In our terms of service, we state the following:
[…] after the restoration process is complete, the virtual machines are guaranteed to be tamper-proof.
[…] The machines themselves are in a secure network, and behind strong firewalls to present the safest environment possible.
[…] At any given time, you have sole access to a virtual machine. Your testing session cannot be seen or accessed by other users, including BrowserStack administrators. Once you release a virtual machine, it is taken off the grid, and restored to its initial settings. All your data is destroyed in this process.
Unfortunately, we have blatantly lied. Not only do all of our administrators have access, but so does the general public. We have no firewalls in place, and our password policies are atrocious. All virtual machines launched are open to the public, accessible to anyone with the alpha password “***” on port 5901, a password which is stored in plaintext on every VM. As well, our infrastructure uses the same root passwords on all machines, which is also stored in plaintext on every VM launched (“***").
Given the propensity for cyber criminals to target infrastructure services such as ours, it is almost certain all of your data has been compromised. These passwords take no less than 15 minutes to find for anyone who is looking.
We hope we have not caused you too much trouble, and to our enterprise customers who signed deals contracts based on a fabrication, we are equally sorry.
Sincerely,
The BrowserStack Team
Update (Nov 21, 2014)
Just recevied an email from BrowserStack about what happened.
http://www.browserstack.com/attack-and-downtime-on-9-November
