Second Heroku security flaw uncovered

News Jane McCallion Jan 28, 2013
Security key on keyboard
Security key on keyboard

Ruby on Rails exploit discovered just two weeks after HTTP vulnerability patched

Salesforce.com owned platform-as-a-service (PaaS) provider Heroku has revealed the existence of a second security hole in its system.

The vulnerability was discovered by security researcher Benjamin Manns on 18 January. He notified Heroku the same day, but the flaw was not publicly announced until 26 January, once the problem had been fixed.

Oren Teich, COO of the company, said the issue related to the platform’s add-on programme. Mann went into more detail in his analysis, stating the problem was a Ruby on Rails (RoR) vulnerability.

As reported by our sister site, IT Pro, the Ruby on Rails team recently posted a security advisory notice stating “multiple weaknesses” had been found in part of the framework’s coding. These vulnerabilities reportedly put nearly a quarter of a million websites at risk of being hacked.

In a blog post on the matter, Teich said: “At a high level, the vulnerability could have resulted in disclosing our Cross-Site Request Forgery tokens [which] are used to prevent browser hacking) to third parties.”

A patch was deployed on 20 January and the organisation also reviewed its code for related vulnerabilities.

“[We also] conducted a review of our audit logs to determine the impact of the vulnerability. We found no instances of this issue being exploited,” Teich added.

Teich also sought to reaffirm Heroku’s “commitment to the security and integrity of [its] customers’ data and code”.

This is the second security vulnerability in Heroku’s code to be uncovered in recent weeks. On 19 December another security researcher, Stephen Sclafani, discovered a security flaw related to password encryption, but it was not patched until early January.

Tags: