This past November 9th, 2014, BrowserStack got attacked by an individual, who was able to access and copy some of its users email addresses, and then tried to send an email to all of its users with false information about BrowserStack, even claiming that the company would shut down. This email reached only 1% of the company’s registered users and although the problem got promptly fixed by the company, it caused a huge inconvenience to all users, not only to that 1%, because for security the servers had to be taken offline for several hours.
How did this happen?
Does the name Shellshock sounds familiar to you? We seriously hope it does, but if not, let us explain:
The Shellshock vulnerability (also called Bash Bug) is a “deadly serious” bug that has found this last September 24th, 2014, and has affected millions of servers allowing hackers to launch programs, enable features on your servers and delete or steal your information without any passwords needed. The only way to stop or prevent servers from suffering an attack was to patch them immediately.
BrowserStack application servers use Amazon Web Services to run, which is one of the best and more secure platforms to use. When they heard about the Shellshock vulnerability they patched all their running servers except one: an old prototype machine that had been running since before 2012 that was not in active use.
The hacker used the Shellshock vulnerability to penetrate this machine and gain access to the keys, created an IAM user, generated a key-repair, and began to copy user’s information like email IDs, hashed passwords, and last tested URL, so finally, after receiving the alerts, the company saw an unrecognizable IP and blocked it right away.
Why does this matters?
It matters because this is an excellent example of why we should always be alert of the latest security updates, and apply to our servers as soon as possible. It may seem like a fun and challenging game to be hacked for some, but the reality is that whenever these kind of things happen, it’s doesn’t only costs you tons of money to fix the problem, but it also takes you a lot of effort and time to rebuild customer trust after having risked their information. That’s why the more attention to detail you have and the more informed you are, the fewer the chances you have of being attacked.
We don’t want to play dad, but let’s all learn from BrowserStack’s experience and take the necessary steps your company needs to keep your users safe at all times.
If you haven’t worked on your server’s patches do it right now. We don’t want to be the ones saying “We told you so”.
If you want to read more about the BrowserStack attack click here.
Also, checkout our original post where we wrote about the Bash Bug