Heroku plugs password security hole

News 10 Jan, 2013

Vulnerability could have let hackers change passwords and hijack accounts.

Platform-as-a-Service (PaaS) provider Heroku has patched a security flaw that could have given hackers access to customer accounts.

The company was told about the problem on 19 December 2012 by security researcher Stephen Sclafani.

However, it chose not to go public with news of the vulnerability until it had been patched.

Heroku encrypts its user passwords with non-recoverable bcrypt hashes, but hackers were able to bypass this security measure and gain access to users’ accounts via a malicious HTTP request.

We are confident in the steps we have taken to protect our customers from this vulnerability

Potential hackers were never able to see users' passwords, but could use the malicious code on the service provider’s account creation system to change them and take control of the account.

A preliminary patch was developed and deployed on 20 December and the company claims it found no evidence that the vulnerability was exploited by anyone prior to Sclafani’s research.

Oren Teich, Heroku’s chief operating officer, said in a blog post: “We are confident in the steps we have taken to protect our customers from this vulnerability and will continue to improve our internal processes in order to provide our customers with a trusted cloud platform.

“We would also like to reaffirm our commitment to the security and integrity of our customers’ data and code. Nothing is more important to us,” he added.