BrowserStack: Hacker entered old test machine via Shellshock bug

BrowserStack has detailed how a hacker managed to get hold of user email addresses. According to the browser testing service, the attacker managed to get into an outdated server on Amazon Web Services thanks to the Shellshock bug.

In the apology email, BrowserStack describes the hacker’s suspected working method. The attacker allegedly gained access to an old, deprecated server within the virtualized environment that BrowserStack runs with Amazon Web Services through the Shellshock vulnerability in Bash. This is how the hacker got hold of the API keys for AWS. Using this information, he managed to set up his own virtual server and impersonate a legitimate BrowserStack administrator.

The attacker started copying personal and login information from a database, according to BrowserStack. The monitoring systems sounded the alarm, after which the hacker was blocked. According to the browser testing service, he was able to copy an estimated 5,000 account data in a short time, and then send these users an email in which, among other things, it was incorrectly written that BrowserStack was going to close its doors.

BrowserStack apologizes for the incident but says the damage was relatively limited. Not only would less than 1 percent of active account information have been copied, the company also emphasizes that no credit card information was stolen. Also, passwords are not only hashed, but also salted based on the strong bcrypt algorithm and all production systems of BrowserStack would be provided with a Shellshock patch in a timely manner. The company also claims to have taken additional security measures, such as encrypting backups and having a third party perform a security audit on the AWS infrastructure.