Heroku plugs password security hole

digital padlocks

Platform-as-a-Service (PaaS) provider Heroku has patched a security flaw that could have given hackers access to customer accounts.

The company was told about the problem on 19 December 2012 by security researcher Stephen Sclafani.

However, it chose not to go public with news of the vulnerability until it had been patched.

Heroku encrypts its user passwords with non-recoverable bcrypt hashes, but hackers were able to bypass this security measure and gain access to users' accounts via a malicious HTTP request.

We are confident in the steps we have taken to protect our customers from this vulnerability

Potential hackers were never able to see users' passwords, but could use the malicious code on the service provider's account creation system to change them and take control of the account.

A preliminary patch was developed and deployed on 20 December and the company claims it found no evidence that the vulnerability was exploited by anyone prior to Sclafani's research.

Oren Teich, Heroku's chief operating officer, said in a blog post: "We are confident in the steps we have taken to protect our customers from this vulnerability and will continue to improve our internal processes in order to provide our customers with a trusted cloud platform.

"We would also like to reaffirm our commitment to the security and integrity of our customers' data and code. Nothing is more important to us," he added.

Jane McCallion
Managing Editor

Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.