BrowserStack Local allegedly ships with a live bs-local.com private key

April 6, 2026
aiprivacyopen-source
A rustic padlock secured to a sturdy cable set against a peaceful blue background. Ideal for themes of security.
Photo by Matej Bizjak on Pexels

What happened

It has been reported that BrowserStack's "BrowserStack Local" tooling contains a valid TLS certificate for bs-local.com and, crucially, the matching private key. The claim — posted to Mastodon and discussed on infosec forums — says the key was embedded in the distributed software. If true, that's a serious misstep: a leaked private key can let an attacker impersonate the domain or decrypt traffic under the right conditions. The original reporter says they disclosed the issue in November; BrowserStack generated a new certificate in January, but allegedly the new private key was again shipped in the client.

Why it matters

Private keys are the crown jewels of HTTPS. Lose one and you lose control of who can convincingly claim to be your domain. Certificate Authorities such as GoDaddy, which issued the cert in this case, must revoke affected certificates once they're informed — but revocation is only part of the cleanup. Users, automated systems, and public caches can still trust a compromised cert until revocation propagates; attackers can seize that window. Short version: this is not just annoying. It's dangerous.

Repeat failure, rising frustration

What makes this story stick is the déjà vu. Fixes were apparently rolled out in January, yet the same class of mistake recurred. Frustrating? Absolutely. A facepalm moment? You bet. It raises questions about secure build practices, secret management, and release hygiene inside the toolchain. How are private keys being stored and bundled, and why wasn't rotation and verification automated after the first disclosure?

What's next

BrowserStack should audit its releases, purge any embedded keys, rotate all affected certificates, and publish a clear timeline and remediation guidance for customers. Developers running BrowserStack Local should treat the report seriously: verify you're running a version without embedded keys, rotate any local secrets that might have been exposed, and follow the vendor's guidance. It has been reported that the matter is already public on Mastodon and infosec communities; expect scrutiny until a transparent, verifiable fix is in place.

Sources: infosec.exchange, Lobsters