Heroku has fixed a security issue it was alerted to in December that would allow an attacker to change the password of a pre-existing user account.
According to a blog post by Heroku chief operating officer Oren Teich on Wednesday, the issue was discovered on December 19, 2012, by security researcher Stephen Sclafani while he was reviewing web hosting options for his startup.
Heroku worked with Sclafani to develop and deploy patches last month, and found no evidence that the vulnerabilities were exploited prior to his research.
The collaborative, research-based approach is an interesting way to develop patches for security issues. Rather than its team taking over once the vulnerability was discovered, or – as a Heroku customer points out in a comment on its blog – going so far as “persecuting the person who uncovers a vulnerability”, Heroku worked with Sclafani to find a solution.
The process landed Heroku at least one new customer.
“Despite finding these vulnerabilities I plan to host my startup at Heroku. Security vulnerabilities happen and Heroku handled the reports well,” Sclafani said in a blog post detailing the security vulnerabilities he found in Heroku.
During the testing, Heroku said a very small number of customer account passwords were reset during the incident. Those customers were contacted, and advised to reset their passwords and credentials.
“We would like to thank Mr. Sclafani for notifying us of this vulnerability, and giving us ample opportunity to fix it,” Teich said. “We are extremely grateful to both him and all external security researchers who practice responsible disclosure.”
“We are confident in the steps we have taken to protect our customers from this vulnerability and will continue to improve our internal processes in order to provide our customers with a trusted cloud platform,” Teich said. “We would also like to reaffirm our commitment to the security and integrity of our customers’ data and code. Nothing is more important to us.”
Many web hosts, including Edgewebhosting most recently, have added two-factor authentication to prevent hackers from gaining access to customer accounts.
Talk back: What do you think of Heroku’s approach to patching the security vulnerability? Have you worked with security researchers before to deploy patches? Let us know in a comment.