Security

Heroku fixes hole that easily lets hackers hijack accounts

Cloud platform Heroku announced today that it has plugged up a hole in its account creation system that would have let hackers change existing account passwords and take control of any account.

Heroku first heard about the password vulnerability from security researcher Stephen Sclafani on Dec. 19. It says it released a patch the following day. Sclafani found the issue when he realized that Heroku used a two-step sign-in process. That is, you must first enter an email address and then wait for Heroku to send you an email with an activation link to set up your account.

“Multistep sign up processes are notorious for containing security vulnerabilities, and after taking a closer look at Heroku’s, I found that it was possible, given only their user ID, to obtain any user’s email address and to change their password,” said Scalfani in a blog post.

He discovered that a hacker need only play around with an HTTP POST request, or the part of the conversation between a website and a server that asks the server to store information, such as a new password. Before the patch, the server accepted any changes to an account’s password using this request, thus giving the person access to the account. Sclafani found a second vulnerability that let anyone use a similar “attack,” but on the password reset page. Instead of changing a specific account password, however, this vulnerability only let you change the password to a random account.

Patches for  both holes appeared Dec. 20, and Heroku says it could not find any instances where the vulnerability had been used in the past. It went on to say it is “extremely grateful” to him for practicing “responsible disclosure.”

“Despite finding these vulnerabilities I plan to host my startup at Heroku,” said Sclafani. “Security vulnerabilities happen and Heroku handled the reports well.”

You could classify Heroku as a platform as a service company. That is, it’s a cloud computing service that enables people build web applications in a variety of coding languages on top of Heroku’s development platform. It supports Ruby, Python, Node.js, and Java, among other languages and also supplies managing tools to keep your app afloat. The company was founded in 2007, and was bought by cloud customer relationship manager Salesforce in 2010.

Heroku image via igb/Flickr