Heroku Invoice Security Issue - You can see anyone's invoice
https://api.heroku.com/invoices/show/xxxxxx
The last 6 digits are clearly an 'invoice id' number. On a whim I tried incrementing it by one to see if my next invoice was the next id, and I saw SOMEONE ELSES INVOICE. Sure enough, any number I put in there gives me someone else's latest invoice. Go ahead, try it. You have to be logged in, but once you are you can see anyones. There's no credit card information available, but you can see name, addresss, and detailed invoice. Interestingly, just about everyone spends $0.
I've notified Heroku.
UPDATE: Heroku has taken down their API site, presumably to fix this. As for all the backlash about posting this, I do understand it and feel bad in retrospect. I certainly wouldn't have posted it if there was credit card or SSN information available. I notified Heroku prior to posting and mostly wanted someone else to confirm that it wasn't just my account before they closed it down. They frequently take down the API site during outages and I expected them to do that a lot quicker than they did. I didn't expect it to reach the front page until it was a 'look at the problem that Heroku had' type of story. Lesson learned.
26 comments
[ 0.31 ms ] story [ 86.9 ms ] threadOh.. because they have a good graphic designer.
Lol.
"Forget servers, instances, and VMs. Focus on processes."
If that doesn't raise some red flags for you then you get what you deserve.
Because of a good graphic designer, sure.
That's less then $100/GB/Month.
With low prices like that it must be hard for people to resist.
This isn't a case of something small going unnoticed, resulting in a bit of a laugh and giggle. This is people's billing details, and you've just explained how to exploit the bug in complete detail.
I'm really unhappy that this sort of thing even crossed your mind :/
This is the sort of thing that I, as a Heroku customer, really want to no about. Not because my personal information is at risk - no credit card #'s or anything are accessible - but because it changes my perspective on Heroku. This vulnerability is just plain sloppy on their part - I really though that the folks at Heroku were smarter than this.
If this leak provided access to any more sensitive data, like credit card #'s or SSN's I would 100% agree with you - notify Heroku and let them fix it first. But the only real harm I see coming from this being posted pre-fix is embarrassment for Heroku.
There's too much sensitive data here - it would be trivial to write a script that banked it all for later analysis.