Vulnerabilities in Heroku's Build System

<i>Heroku offered me a paid penetration test contract, but required that I sign a retroactive non-disclosure agreement which would have precluded publishing this article.</i><p>Worth pointing out: virtually <i>all</i> paid pentesting engagements are delivered under NDA. In fact, more often than not, they're done under the far-stricter terms of a master agreement with detailed IP clauses.<p>If you're talking to any firm about having your app tested, get an NDA in place, and don't feel bad about asking. Nobody who thinks they need it should forestall having their app checked out because they think the firm they're going to work with is going to try to make news out of their findings.<p>Obviously, if your customers find vulnerabilities themselves, all bets are off!

Heroku's official response: <a href="http://blog.heroku.com/archives/2012/7/3/codon_security_issue_and_response/" rel="nofollow">http://blog.heroku.com/archives/2012/7/3/codon_security_issu...</a>

Very glad to see this not only documented, but patched extremely quickly. Heroku continues to impress, and Titanous is a credit to the security profession.

Thank you for taking the high road and exposing the issue rather than giving them the option to hide it (not saying they would).

This is a really interesting insight into the way someone found access to a system but could someone explain to me why he needed PGP keys from heroku? I'm sure there is some good reason but if someone could tell me that would be great.

That's a nice way of handling it, both from heroku and you who found the exploit. I feel content with my choice to use heroku.

I'm happy to see both parties in this situation acting with a great deal of professionalism. It feels good to be a part of this community.

This is a minor point, but one of my favorite details: the use of a simple table for the "Disclosure Timeline", which is really the clearest way to illustrate the step-by-step sequence of events. I would love to see this be a standard practice for any narrative in which order/visual comparison is vital. HTML tables are so easy to include (or, even bulleted lists).<p>A masterful explanation, on top of being an altruistic deed.

Perhaps a fantastic example of why keeping detailed configuration in environment variables is probably a bad idea. Your private SSH key isn't part of the environment. It's configuration. Treat it as such.

Well someone could have easily discovered the environment variables vuln without getting the source code, although it is unclear why so much was disclosed in env vars. It suggests that everything runs as the same user, or you would not get anything.

the page is well composed