Browser testing service BrowserStack has admitted that an attacker hit a server that was vulnerable to the Shellshock bug.
In the incident, an attacker was able to gain unauthorised access to some users’ registered email addresses and send an email claiming that BrowserStack would be shutting down, but reached fewer than one per cent (estimated 5,000) of users.
In the statement by co-founder Ritesh Arora and Nakul Aggarwal, they said that the targeted server (run on Amazon Web Services) was an old prototype machine and, despite not being in active use, was penetrated using the shellshock vulnerability.
“As it was no longer in active use, it did not have the appropriate patch installed,” they said. “The old prototype machine had our AWS API access key and secret key. Once the hacker gained access to the keys, he created an IAM user, and generated a key-pair. He was then able to run an instance inside our AWS account using these credentials, and mount one of our backup disks. This backup was of one of our component services, used for production environment, and contained a config file with our database password. He also whitelisted his IP on our database security group, which is the AWS firewall.
“He began to copy one of our tables, which contained partial user information, including email IDs, hashed passwords, and last tested URL. His copy operation locked the database table, which raised alerts on our monitoring system. On receiving the alerts, we checked the logs, saw an unrecognised IP, and blocked it right away. In that time, the hacker had been able to retrieve only a portion of the data. Finally, using this data and the SES credentials, he was able to send an email to some of our users.”
It confirmed that it was able to verify the actions of the hacker using AWS CloudTrail, which confirmed that no other services were compromised, no other machines were booted and our AMIs and other data stores were not copied. “In addition, our production web server logs indicate that we were experiencing Shellshock attempts, but they failed because the production web server has the necessary patches to foil all such attempts,” they said.
They admitted that all of its servers, running or not and whether in active use or not, should have been patched with the latest security upgrades and updates including the Shellshock one. It also said that after taking down the service, it revoked all existing AWS keys and passwords, and generated new ones immediately as an added security measure, and went through all SSH logs, web server logs and AWS Cloud Trail logs, to ensure that no more damage was done.
In an email to IT Security Guru, security researcher Troy Hunt said that this could be the first “attack” due to Shellshock that someone has publicly admitted to, as far as he was aware.
He said: “Yes, these major bugs are often fixed with one simple patch. The underlying flaw can be extremely simple; take the Apple goto fail bug as an example – you can’t get much simpler than that!
“The recent Drupal SQLi bug is another good example of a simple patch sorting stuff out and the severity of what happens if you’re not on top of it. Install the patch immediately and you’re good, wait more than seven hours (less than a ni
ght’s sleep) and you have to assume that all of your things are now pwned.”
He also said that the problem is that BASH software is “from a different era” that pre-dated the internet.