Heroku Invoice Security follow-up
For context: Earlier I posted about a Heroku security flaw where anyone could see anyone elses billing invoice, containing their name, street address, and the list of apps and addons in their account (no credit card or SSN info). Heroku has taken down their API site, presumably to fix this.
As for all the backlash about posting, I do understand it and feel bad in retrospect. I certainly wouldn't have posted it if there was credit card or SSN information available. I notified Heroku prior to posting and mostly wanted someone else to confirm that it wasn't just my account before they closed it down. They frequently take down the API site during outages and I expected them to do that a lot quicker than they did. I didn't expect it to reach the front page until it was a 'look at the problem that Heroku had' type of story. Lesson learned.
2 comments
[ 2.9 ms ] story [ 14.0 ms ] thread