Summary
Subdomain reuse, also known as subdomain takeover, is a security vulnerability that occurs when an attacker claims and takes control of a target domain. Typically, this happens when an application is deprecated and an attacker directs residual traffic to a host that they control.
As of 14 June 2023, we changed the format of the built-in herokuapp.com domain for Heroku apps. This change improves the security of the platform by preventing subdomain reuse. The new format is <app-name>-<random-identifier>.herokuapp.com. Previously, the format was <app-name>.herokuapp.com. The new format for built-in herokuapp.com domains is on by default for all users.
Why It's Important
When you delete a Heroku application, its globally unique name immediately becomes available to other users. Previously, the app name was the same as the app’s herokuapp.com subdomain, which serves as the default hostname for the application.
With subdomain takeovers, attackers can search the Internet for Heroku application names that are no longer in use. They can create new apps using the freed-up names with the hope that some party still directs traffic to the application. An attacker can also create an app at that URL to intercept the traffic and provide their own content.
A successful subdomain takeover can lead to a wide variety of other potential attack vectors. The attacker who impersonates the original owner can then attempt any of the following attacks.
Stealing cookies
It’s common for web apps to expose session cookies. An attacker can use the compromised subdomain to impersonate a website formerly registered to an app. This impersonation can permit an attacker to harvest cookies from unsuspecting users who visit and interact with the rogue webpage(s).
Phishing
Using a legitimate subdomain name makes it easier for phishers to leverage the former domain name to lure unsuspecting victims.
OAuth Allowlisting
The OAuth flow has an allowlisting mechanism that specifies which callback URIs to accept. A compromised subdomain that is still allowlisted can redirect users during the OAuth flow. This redirection can leak their OAuth token.
The new format prevents these vulnerabilities because — even if an attacker creates an app with a freed-up name — the subdomain of the app now has a random identifier appended.
We always recommend using a custom domain for any kind of production or security-sensitive app. However, with this change, even customers that use default herokuapp.com domain names can do so safely. If those apps are deleted later, the built-in default domains can’t be taken over.
Nothing needs to be set on your account to enable this. The new format for built-in herokuapp.com domains is on by default for all users.
Conclusion
Over the years, we improved the safety of domain management on Heroku to prevent domain hijacks and similar attacks. For example, we removed the <appname>.heroku.com redirects and introduced random CNAME targets.
The introduction of a new format for herokuapp.com domains, which includes a random identifier appended to the subdomain, mitigates the risk of subdomain takeovers. This change prevents attackers from easily impersonating the original app URL and intercepting traffic meant for the deprecated or deleted app. Best of all, there’s no action required on your part to enable this protection.