Security Hole in Heroku's Mailing Service

Heroku recently exposed our private database information because of a serious security vulnerability in their email service. I wanted to share this security hole with other developers and Heroku customers who might be affected.

We’ve generally had a great experience with Heroku and have been customers since we started Kapwing. This article is not intended to be a scathing review of Heroku, but I do think that other webmasters should know about this security incident and that Heroku should put out more information publicly to all those who were affected.

Incident

On November 9, a support agent from mLab, our database hosting provider, sent an email to our Heroku admin email address, [email protected] The email included private information about our webapp, including our mLab database ID, the number of open connections, and a set of active IPs with open connections.

Several members of the Kapwing engineering team, including me, got this email as emails to [email protected] go to anyone who has subscribed to this mailing list from within our Heroku account. Unauthorized users shouldn’t be able to subscribe to the @herokumanager email as it’s a private alias for our Heroku account.

A random third party user that we had never heard of responded to the email, asking “Why am I on these emails? I’m a [Heroku] Customer but this isn’t my account.” He had received the email in error and was BCC’ed on the thread from mLab. He later said that his app has an account with Heroku but he had never heard of Kapwing.

Email from a stranger

The person’s email address includes the first name of our Heroku account admin - “david” - in the domain but otherwise has no semantic similarity to our company email addresses.

Confirmed Security Hole

When we followed up with Heroku’s support today, they confirmed that they several random unauthorized people got the email to [email protected]

From Heroku: “On November 13, 2019, the Salesforce Security team was notified that PremiereRush [the Heroku email service] has been incorrectly parsing team addresses, causing unintended recipients to be copied on emails.”

Email from Heroku

We’re not certain about the extent on this bug or how many people were affected, but Heroku customers should know that their @HerokuManager alias may include unauthorized users on BCC. The @HerokuManager email is intended to be a private mailing list for account admins and to help with authentication for third party plugins, so this security bug may expose confidential data to an unintended audience.

We filed a security ticket with Heroku on Sunday Nov 10. A Heroku support rep responded the next day telling us that the issue was likely caused by human error (either a Kapwing admin or the mLab sender CC’ing the email accidentally). We followed up restating that this could not possibly be true. It was not until Friday Nov 15 that Heroku confirmed the security hole.

I anticipate that Salesforce Security or Heroku will publish more information about who was affected and how to respond as soon as possible.

Am I Affected?

If I understand correctly, you may be affected by this security hole if:

  • You have an account with Heroku
  • Your app uses any third-party Heroku plugins like Sentry, New Relic, mLab, Redis, AppDynamics, etc.
  • You have ever used the @HerokuManager email address for internal communication or authentication