David E. Chen: Discovering the Heroku Vulnerability (opens in new tab)

(daverecycles.com)

108 pointsdaverecycles15y ago10 comments

10 comments

9 comments · 4 top-level

SupremumLimit15y ago· 3 in thread

I'm at least pleased with the way they handled the vulnerability. They seem to be making preventative changes for the future which is the main thing.

As much as I'd like everyone to be diligent about security as David suggests, I don't think it's going to happen. Developers aren't security or admin experts but they (me included) want a way to deploy apps without it being a major hassle. Handing off security to the provider is one of the big reason there are > 100K apps on Heroku, and it's a calculated cost/risk tradeoff.

cparedes15y ago

There needs to be a reality check at some point, however.

A company's needs might not be in tune with Heroku's general security policy. If you're creating an app that handles personal information, then I hope to god that your developer/ops guys are security minded.

This particular vulnerability is quite embarrassing, however: separation of environments should at least be a given on Heroku.

alttab15y ago

Heroku should have filtered other processes out of view that were related to other user's dynos. I think they will fix that.

It was interesting to read how the author figured it out, and his point that he could run a bunch of reapers to steal the information.

Now, if the IT guy running Herkous operations has his hat on straight he will notice the change in bandwidth patterns (higher upload following a heroku push) from the reapers, which is what the Heroku press release alluded to.

Generally, to benefit maliciously you would have to be watching the content without downloading it ("by hand" if you will) and then find something that was worth the effort.

Now that Dynos have more time to be considered in a different light, design changes will at least make the same "lottery watch dog" effect harder to achieve than just lurking on node.

SupremumLimit15y ago

In theory it shouldn't matter whether my security expertise is in-house or I pay some external party to provide it, right? The usual argument for economies of scale also applies - it's beneficial to have the platform provider manage security for the customers. I think the problem is that Heroku's (and most other providers') promise of security is nice in theory, but in practice they carry no responsibility if anything goes wrong.

I agree that it's important to make sure the provider's security policy is sufficient for your needs in the first place, however.

1 more reply

tlrobinson15y ago· 1 in thread

Which platform was this?

"For example, one Node.js platform provider that has been in the news recently was hacked in the past few days and all of their user databases were deleted. The reason why? They accidentally published their database password on GitHub. Oops."

This doesn't really surprise me, considering everyone and their mother is currently building "Heroku for Python/Node.js/[hot technology]".

tptacek15y ago

NodeFu.

code_duck15y ago· 1 in thread

This sort of hosting is basically no different than a typical 'shared host'. Why is there no 'heroku for PHP'? Oh... because those have been around for 8 years+ and are called 'shared hosts with Apache/PH/MySQL'.

I've looked around on a couple of hosts, 1and1 and I think he.net and found that it was quite possible to go looking around in other users accounts through the shell.

I'll stick with VPSs and dedicated servers.

cardmagic15y ago

http://phpfog.com/ is like heroku for PHP without the shared host.

wrs15y ago

Ugh. And to think I was worried about the implications of user privilege exploits on Heroku (well, I still am). Turns out there was no need to be so fancy!

j / k navigate · click thread line to collapse