Heroku has resolved a security vulnerability it was alerted to in December that would allow an attacker to change the password of a pre-existing user account and thus gain control of it. Web security has been a vital issue for the industry as recently EdgeWebHosting partnered with DuoSecutiry to secure remote access by enabling two-factor authentication and SingleHop launched an automated security service for dedicated cloud servers.
On December 19, 2012, security researcher Stephen Sclafani notified Heroku of an issue in their account creation system. Using a maliciously-crafted HTTP request, an attacker could change the password of a pre-existing Heroku user account, and thus gain control of it. This attack would not disclose the pre-existing password to the attacker.
Instead of persecuting Mr Sclafani, the person who uncovered the vulnerability, as most companies do, Heroku’s engineering and security staff engaged with Mr. Sclafani and worked in a a a collaborative way to find a solution. They developed and deployed a preliminary patch to production on December 20. While deploying the patch, Mr. Sclafani also discovered a related issue in the password reset flow that could be used to reset the passwords of a certain subset of users at random. A preliminary patch for this was also developed and deployed on December 20.
This was followed by a thorough and comprehensive audit of internal logs. No evidence that these vulnerabilities were exploited prior to Mr. Sclafani’s research on December 19, either by him or any other third parties was found. Due to the nature of the vulnerability, any customer whose account was compromised would have found both their existing password and API key invalidated, and would have had to initiate a password reset.
While both Mr. Sclafani and Heroku endeavoured to use test accounts exclusively, a very small number of customer account passwords were reset during the incident. Heroku contacted the impacted customers and advised them to reset their passwords and credentials.
“We are confident in the steps we have taken to protect our customers from this vulnerability and will continue to improve our internal processes in order to provide our customers with a trusted cloud platform,” said Oren Teich, Chief Operating Officer, Heroku. “We would also like to reaffirm our commitment to the security and integrity of our customers’ data and code. Nothing is more important to us.”
On Christmas eve, Heroku was also affected by Amazon Cloud Computing Service Outage.