Cloud Journal



Heroku Patches Password Hijacking Security Vulnerabilities

Written by  Harpreet | 22 January 2013
E-mail PDF

herokuHeroku, a popular cloud application platform, has announced that it has fixed two vulnerabilities that allowed hackers to change a user's password to gain access to their Heroku account. The paltform-as-a-service (PaaS) based company was tipped off by a security researcher Stephen Sclafani. The company acted promptly after getting in touch with Sclafani soon after he posted about the issue on his blog.

Sclafani discovered the security vulnerabilities in December 2012. The loophole allowed anyone to get hold of a user's e-mail address and then change the user's account password, using only a user ID. He mentioned on his blog, "Upon signing up, I noticed that Heroku used a two-step sign up process. Multi-step sign up processes are notorious for containing security vulnerabilities, and after taking a closer look at Heroku’s I found that it was possible, given only their user ID, to obtain any user’s email address and to change their password."

Sclafani had discovered that a hacker could play around with an HTTP POST request to crack user passwords. Heroku's servers would accept any changes to user account password using this type of request. He had also discovered another vulnerability that allowed hackers to use a similar method on the password reset page. In this case a hacker could change passwords belonging to random accounts.

Heroku confirmed that none of the existing accounts were found to be affected with these potential loopholes. The company provided patches that fixed both these loopholes on December 20. Heroku claims that it performed a thorough analysis to check if any existing instances were affected with these vulnerabilities. During this, the company said that there were a few accounts whose passwords were changed while testing. Those users were informed about the issue.

Heroku thanked Sclafani in a blog post for informing the company about these security vulnerabilities. The company’s Chief Operating Officer, Oren Teich wrote, “We are extremely grateful to both him and all external security researchers who practice responsible disclosure,” in a blog post.

Heroku offers a cloud computing service that allows users to build web based applications in multiple coding languages, that are deployed on Heroku's development platform. The company was founded in 2007 and was acquired by Salesforce in 2010.



Harpreet is a technology journalist based in India. He currently writes on Mobile, Technology and Startups. He is an avid reader and a passionate writer. Prior to ToolsJournal, Harpreet used to write for a major English news daily.

blog comments powered by Disqus