On Friday January 18, security researcher Benjamin Manns notified Heroku of a security vulnerability related to our add-ons program. At a high level, the vulnerability could have resulted in disclosing our Cross-Site Request Forgery tokens (these tokens are used to prevent browser hijacking) to third parties.
We quickly addressed the vulnerability and on Sunday, we deployed a patch to remediate the issue. We also reviewed our code for related vulnerabilities and conducted a review of our audit logs to determine the impact of the vulnerability. We found no instances of this issue being exploited.
We wish to thank Mr. Manns for his work and commitment to responsible disclosure. You can access his write up here: https://www.benmanns.com/posts/security-vulnerability-found-in-heroku-and-rails-form-tag/
We would also like to reaffirm our commitment to the security and integrity of our customers’ data and code. Nothing is more important to us.
Oren Teich, Chief Operating Officer