Sclafani discovered the security vulnerabilities in December 2012. The loophole allowed anyone to get hold of a user's e-mail address and then change the user's account password, using only a user ID. He mentioned on his blog, "Upon signing up, I noticed that Heroku used a two-step sign up process. Multi-step sign up processes are notorious for containing security vulnerabilities, and after taking a closer look at Heroku’s I found that it was possible, given only their user ID, to obtain any user’s email address and to change their password."
Sclafani had discovered that a hacker could play around with an HTTP POST request to crack user passwords. Heroku's servers would accept any changes to user account password using this type of request. He had also discovered another vulnerability that allowed hackers to use a similar method on the password reset page. In this case a hacker could change passwords belonging to random accounts.
Heroku confirmed that none of the existing accounts were found to be affected with these potential loopholes. The company provided patches that fixed both these loopholes on December 20. Heroku claims that it performed a thorough analysis to check if any existing instances were affected with these vulnerabilities. During this, the company said that there were a few accounts whose passwords were changed while testing. Those users were informed about the issue.
Heroku thanked Sclafani in a blog post for informing the company about these security vulnerabilities. The company’s Chief Operating Officer, Oren Teich wrote, “We are extremely grateful to both him and all external security researchers who practice responsible disclosure,” in a blog post.
Heroku offers a cloud computing service that allows users to build web based applications in multiple coding languages, that are deployed on Heroku's development platform. The company was founded in 2007 and was acquired by Salesforce in 2010.