Heroku Invoice Security Issue - You can see anyone's invoice

22 points by brittohalloran ↗ HN
Bad month for Heroku. My invoice hasn't updated in a while and I wanted to see my latest spend (I just started sending emails with delayed job). I was trying to figure out how to see my latest invoice, so I looked at the url:

https://api.heroku.com/invoices/show/xxxxxx

The last 6 digits are clearly an 'invoice id' number. On a whim I tried incrementing it by one to see if my next invoice was the next id, and I saw SOMEONE ELSES INVOICE. Sure enough, any number I put in there gives me someone else's latest invoice. Go ahead, try it. You have to be logged in, but once you are you can see anyones. There's no credit card information available, but you can see name, addresss, and detailed invoice. Interestingly, just about everyone spends $0.

I've notified Heroku.

UPDATE: Heroku has taken down their API site, presumably to fix this. As for all the backlash about posting this, I do understand it and feel bad in retrospect. I certainly wouldn't have posted it if there was credit card or SSN information available. I notified Heroku prior to posting and mostly wanted someone else to confirm that it wasn't just my account before they closed it down. They frequently take down the API site during outages and I expected them to do that a lot quicker than they did. I didn't expect it to reach the front page until it was a 'look at the problem that Heroku had' type of story. Lesson learned.

26 comments

[ 0.31 ms ] story [ 86.9 ms ] thread
Can't reproduce. But since I use heroku only for prototyping, I never received an invoice.
Really? Login, go to "My Account" in the upper left, then in "Current Usage", click on $0.00 to take you to your invoice.
Ok, heroku never got my credit card info (I created this account years ago, maybe it's required today, I don't know) - seems there is no "Current Usage" section in "My Account" on an unverified billing account. That is, I don't dispute you can see other invoices with your probably complete account - just I couldn't reproduce it on mine.
(comment deleted)
I was just able to reproduce it. Users name and billing address shows up with the invoice. I can't believe they let something like this slip through...
(comment deleted)
You can still see them. I've never received one either.
Did you give Heroku time to address the issue?
Jesus titty fucking Christ. Bugs are inevitable but this is a joke. What fucking developer thinks "yeah they're logged in so thats enough checking. They can't possibly guess a URL we don't show them, even though it's just an incrementing number"
What makes you think this was an intentional decision on the developer's part?
EDIT: removing URLs because it's the right thing to do.
Click on 'current usage' in your account and it takes you to your current invoice, which is accessible via the URL that he mentions. It appears to be only the current months usage / invoice that is vulnerable.
EDIT: removing URLs because it's the right thing to do.
Yikes - so are past invoices available as well then via the show/:id url?
I'm waiting for the "lessons learned from heroku invoice data" post.
Why do people use Heroku? I never understood the appeal.

Oh.. because they have a good graphic designer.

Lol.

"Forget servers, instances, and VMs. Focus on processes."

If that doesn't raise some red flags for you then you get what you deserve.

Yep, $212 million in value built in an extremely short time.

Because of a good graphic designer, sure.

More likely by charging $6400/month for 68GB of RAM.

That's less then $100/GB/Month.

With low prices like that it must be hard for people to resist.

Authentication is not Authorization. Sigh.
I'm pretty appalled that you submitted this to, arguably, one of the most-visited sites for tech news, without at least giving them time to address the problem.

This isn't a case of something small going unnoticed, resulting in a bit of a laugh and giggle. This is people's billing details, and you've just explained how to exploit the bug in complete detail.

I'm really unhappy that this sort of thing even crossed your mind :/

On one hand, I do see your point - at first glance it seems a bit unfair to ambush them like this. On the other hand, if the OP quietly submits it to Heroku and they fix it, then none of us find out. Posting about a vulnerability that has recently been fixed would not be likely to garner nearly as much attention as one that is an open issue.

This is the sort of thing that I, as a Heroku customer, really want to no about. Not because my personal information is at risk - no credit card #'s or anything are accessible - but because it changes my perspective on Heroku. This vulnerability is just plain sloppy on their part - I really though that the folks at Heroku were smarter than this.

If this leak provided access to any more sensitive data, like credit card #'s or SSN's I would 100% agree with you - notify Heroku and let them fix it first. But the only real harm I see coming from this being posted pre-fix is embarrassment for Heroku.

I'm sympathetic with growing pains, but this kind of bug is pretty much unforgivable. If they haven't patched it today, I'll be shocked.
I've flagged this post - I think HN moderators should remove it until such time as Heroku have had time to fix the issue.

There's too much sensitive data here - it would be trivial to write a script that banked it all for later analysis.

This is REALLY bad. You should have given them at least a day to fix it before posting it here though, this is pretty bad etiquette. I understand you're excited you discovered such a stupid mistake but everyone can just pull up my payment details by entering the correct URL now.