Security researcher Stephen Sclafani first discovered the vulnerabilities last month, which would allow those with mal intent to obtain any user’s e-mail address and to change his or her password and hijack the account, given only a user ID.
“Recently, while contemplating hosting options for my startup, I decided to take a look at Heroku. Upon signing up, I noticed that Heroku used a two-step sign up process,” Scalfani explained. “Multi-step sign up processes are notorious for containing security vulnerabilities, and after taking a closer look at Heroku’s I found [the flaws].”
The situation points out the tenuous nature of password security and the need, especially in the cloud era, of taking a layered development approach when designing authentication processes.
In the first step of Heroku’s sign-up process a user enters an email address, and upon submitting the form, the user is sent a confirmation email containing a link to activate their account. The activation link consists of the user’s ID and a token. Upon loading the activation link, the user is prompted to set a password for their account. The email address that the user entered in the first step is displayed. When the form is submitted a post is made containing the user’s ID and the token from the activation link.
The problem arose because if the post was made with the token parameter removed and the password fields left blank, the resulting error page would display the email address of any user whose ID was put as the value of the “ID” parameter. And if the post was made with the token parameter removed and the password fields filled in, the user’s password could be changed.
Sclafani also found a second vulnerability, this time within the reset password functionality. By modifying the post request it was possible to reset the password of a random user each time that the vulnerability was used.
After reporting the issues to Heroku on December 19, initial fixes were in place within 24 hours. However the company wanted to conduct a “thorough and comprehensive audit of internal logs,” which it did before announcing the issue this week.
In the course of the company’s audit and testing, a small number of customer account passwords were reset during the incident, Heroku said. “We have contacted the impacted customers and advised them to reset their passwords and credentials,” said Oren Teich, COO at Heroku, in a blog.
“We are confident in the steps we have taken to protect our customers from this vulnerability and will continue to improve our internal processes in order to provide our customers with a trusted cloud platform,” Teich said. “We would also like to reaffirm our commitment to the security and integrity of our customers’ data and code. Nothing is more important to us.”