Heroku Security Bug Bounty

Working with security researchers to ensure the trustworthiness of Heroku’s platform is an ongoing effort of ours. As part of this effort, the Heroku security team, in conjunction with Bugcrowd, is pleased to announce our new security bug bounty program. For each security bug you help find, which helps to ensure our platform is safe and secure, we'll reward you. Our initial rewards will be between $100 and $1500, varying based on the severity of the vulnerability.

Detailed rules and information about the scope of this bounty program are available on our page at Bugcrowd. As was previously the case, customer applications are strictly out of scope for the bounty – but we’ll pass information along to those customers if you let us know.

Read more →

Cross-Site Request Forgery Vulnerability Resolution

On Friday January 18, security researcher Benjamin Manns notified Heroku of a security vulnerability related to our add-ons program. At a high level, the vulnerability could have resulted in disclosing our Cross-Site Request Forgery tokens (these tokens are used to prevent browser hijacking) to third parties.

We quickly addressed the vulnerability and on Sunday, we deployed a patch to remediate the issue. We also reviewed our code for related vulnerabilities and conducted a review of our audit logs to determine the impact of the vulnerability. We found no instances of this issue being exploited.

We wish to thank Mr. Manns for his work and commitment to responsible disclosure. You can access his write up here: http://www.benmanns.com/posts/security-vulnerability-found-in-heroku-and-rails-form-tag/

We would also like to reaffirm our commitment to the security and integrity of our customers’ data and code. Nothing is more important to us.

Oren Teich, Chief Operating Officer

Rails Security Vulnerability

A serious security vulnerability has been found in the Ruby on Rails framework. This exploit affects nearly all applications running Rails and a patch has been made available.

Rails developers can get a full list of all your affected Heroku applications by following instructions here. Please address this security vulnerability by immediately upgrading your affected apps to any of the safe versions of Rails listed below. The following Rails versions have been patched and deemed safe from this exploit:

  • 3.2.11
  • 3.1.10
  • 3.0.19
  • 2.3.15

If you do not upgrade, an attacker can trivially gain access to your application, its data, and run arbitrary code or commands. Heroku recommends upgrading to a patched version immediately.

How to Upgrade:

Open the Gemfile in the affected application and change the Rails version to one listed above:

rails '3.2.11'

Then run:

$ bundle update rails

Then commit the results to git, and push to Heroku:

$ git commit -am "Bundle update rails"
$ git push heroku master

Repeat for any susceptible applications. If you cannot upgrade at this time, please consider enabling maintenance mode or scaling your app down to zero dynos.

$ heroku maintenance:on -a APPNAME
$ heroku scale web=0 -a APPNAME

Any applications running an insecure version are at risk.

Password Hijacking Security Vulnerability and Response

Heroku recently learned of and resolved a security vulnerability. We want to report this to you, describe how we responded to the incident, and reiterate our commitment to constantly improving the security and integrity of your data and source code.

On December 19, 2012, security researcher Stephen Sclafani notified us of an issue in our account creation system. Using a maliciously-crafted HTTP request, an attacker could change the password of a pre-existing Heroku user account, and thus gain control of it. This attack would not disclose the pre-existing password to the attacker (those are stored internally as non-recoverable bcrypt hashes).

Upon receiving notification, our engineering and security staff engaged with Mr. Sclafani. We developed and deployed a preliminary patch to production on December 20. While we were deploying the patch, Mr. Sclafani also discovered a related issue in the password reset flow that could be used to reset the passwords of a certain subset of users at random. A preliminary patch for this was also developed and deployed on December 20.

After deploying these patches, we conducted a thorough and comprehensive audit of our internal logs. We found no evidence that these vulnerabilities were exploited prior to Mr. Sclafani’s research on December 19, either by him or any other third parties. Due to the nature of the vulnerability, any customer whose account was compromised would have found both their existing password and API key invalidated, and would have had to initiate a password reset.

While both Mr. Sclafani and Heroku endeavoured to use test accounts exclusively, a very small number of customer account passwords were reset during the incident. We have contacted the impacted customers and advised them to reset their passwords and credentials.

We would like to thank Mr. Sclafani for notifying us of this vulnerability, and giving us ample opportunity to fix it. His description is available at http://stephensclafani.com/2013/01/09/vulnerabilities-in-heroku/. We are extremely grateful to both him and all external security researchers who practice responsible disclosure.

We are confident in the steps we have taken to protect our customers from this vulnerability and will continue to improve our internal processes in order to provide our customers with a trusted cloud platform. We would also like to reaffirm our commitment to the security and integrity of our customers’ data and code. Nothing is more important to us.

Oren Teich, Chief Operating Officer

Browse the blog archives, subscribe to the full-text feed, or visit the engineering blog.