Second Heroku security flaw uncovered
Ruby on Rails exploit discovered just two weeks after HTTP vulnerability patched


Salesforce.com owned platform-as-a-service (PaaS) provider Heroku has revealed the existence of a second security hole in its system.
The vulnerability was discovered by security researcher Benjamin Manns on 18 January. He notified Heroku the same day, but the flaw was not publicly announced until 26 January, once the problem had been fixed.
Oren Teich, COO of the company, said the issue related to the platform’s add-on programme. Mann went into more detail in his analysis, stating the problem was a Ruby on Rails (RoR) vulnerability.
As reported by our sister site, IT Pro, the Ruby on Rails team recently posted a security advisory notice stating “multiple weaknesses” had been found in part of the framework’s coding. These vulnerabilities reportedly put nearly a quarter of a million websites at risk of being hacked.
In a blog post on the matter, Teich said: “At a high level, the vulnerability could have resulted in disclosing our Cross-Site Request Forgery tokens [which] are used to prevent browser hacking) to third parties.”
A patch was deployed on 20 January and the organisation also reviewed its code for related vulnerabilities.
“[We also] conducted a review of our audit logs to determine the impact of the vulnerability. We found no instances of this issue being exploited,” Teich added.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Teich also sought to reaffirm Heroku’s “commitment to the security and integrity of [its] customers’ data and code”.
This is the second security vulnerability in Heroku’s code to be uncovered in recent weeks. On 19 December another security researcher, Stephen Sclafani, discovered a security flaw related to password encryption, but it was not patched until early January.

Jane McCallion is Managing Editor of ITPro and ChannelPro, specializing in data centers, enterprise IT infrastructure, and cybersecurity. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.
Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.
-
Blackouts in Spain and Portugal could be a cyber attack
Both countries are "paralyzed" by nationwide power outages
By Jane McCallion
-
Cisco takes aim at AI security at RSAC with ServiceNow partnership
News The companies claim Cisco AI Defense and ServiceNow SecOps will help address new challenges raised by AI
By Jane McCallion