Heroku plugs security hole

digital padlocks
digital padlocks

Vulnerability may have allowed attackers to change passwords and hijack accounts

Platform-as-a-Service (PaaS) provider Heroku has patched a security flaw that could have given hackers access to customer accounts.

The company was told about the problem on 19 December 2012 by security researcher Stephen Sclafani.

However, it chose not to go public with news of the vulnerability until it had been patched.

Heroku encrypts its user passwords with non-recoverable bcrypt hashes, but hackers were able to bypass this security measure and gain access to users’ accounts via a malicious HTTP request.

Potential hackers were never able to see users' passwords, but could use the malicious code on the service provider’s account creation system to change them and take control of the account.

A preliminary patch was developed and deployed on 20 December and the company claims it found no evidence that the vulnerability was exploited by anyone prior to Sclafani’s research.

Oren Teich, Heroku’s chief operating officer, said in a blog post: “We are confident in the steps we have taken to protect our customers from this vulnerability and will continue to improve our internal processes in order to provide our customers with a trusted cloud platform.

“We would also like to reaffirm our commitment to the security and integrity of our customers’ data and code. Nothing is more important to us,” he added.

Read more about: