Second Heroku security flaw uncovered

Security Key on Keyboard

Salesforce.com owned platform-as-a-service (PaaS) provider Heroku has revealed the existence of a second security hole in its system.

The vulnerability was discovered by security researcher Benjamin Manns on 18 January. He notified Heroku the same day, but the flaw was not publicly announced until 26 January, once the problem had been fixed.

Oren Teich, COO of the company, said the issue related to the platform’s add-on programme. Mann went into more detail in his analysis, stating the problem was a Ruby on Rails (RoR) vulnerability.

As reported by our sister site, IT Pro, the Ruby on Rails team recently posted a security advisory notice stating “multiple weaknesses” had been found in part of the framework’s coding. These vulnerabilities reportedly put nearly a quarter of a million websites at risk of being hacked.

In a blog post on the matter, Teich said: “At a high level, the vulnerability could have resulted in disclosing our Cross-Site Request Forgery tokens [which] are used to prevent browser hacking) to third parties.”

A patch was deployed on 20 January and the organisation also reviewed its code for related vulnerabilities.

“[We also] conducted a review of our audit logs to determine the impact of the vulnerability. We found no instances of this issue being exploited,” Teich added.

Teich also sought to reaffirm Heroku’s “commitment to the security and integrity of [its] customers’ data and code”.

This is the second security vulnerability in Heroku’s code to be uncovered in recent weeks. On 19 December another security researcher, Stephen Sclafani, discovered a security flaw related to password encryption, but it was not patched until early January.

Jane McCallion
Managing Editor

Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.