Heroku Invoice Security follow-up

3 points by brittohalloran ↗ HN
For context: Earlier I posted about a Heroku security flaw where anyone could see anyone elses billing invoice, containing their name, street address, and the list of apps and addons in their account (no credit card or SSN info). Heroku has taken down their API site, presumably to fix this.

As for all the backlash about posting, I do understand it and feel bad in retrospect. I certainly wouldn't have posted it if there was credit card or SSN information available. I notified Heroku prior to posting and mostly wanted someone else to confirm that it wasn't just my account before they closed it down. They frequently take down the API site during outages and I expected them to do that a lot quicker than they did. I didn't expect it to reach the front page until it was a 'look at the problem that Heroku had' type of story. Lesson learned.

2 comments

[ 2.9 ms ] story [ 14.0 ms ] thread
If its any consolation, I think you did the right thing. Who knows how long it would have taken them to look into it if it didn't hit the front page of HN?
Yeah. I guess it was OK. It doesn't hurt to see other invoices. I shoot a E-Mail to Heroku as soon I saw your post. And a couple hours later it was fixed. But if you find next time a more serious security issue, like credit cards or SSN infos or something like that, please don't push it to HN. Contact immediately the provider. It is a human thing to make mistakes and security issues are one of this mistakes.