If you are a user of Salesforce’s platform-as-a-service Heroku you will have received an email this week letting you know that you will shortly be asked to reset your password (or you can do it now in advance).
There are doubtless some questions regarding the implications of this, and what brought about such a drastic move.
Firstly, the implications.
The email mentions that resetting the password will invalidate past API tokens. This means that third party services that you have integrated to your Heroku hosted application will stop working with your application, and the link will be broken. You will need to renew those tokens once the password has been updated.
Once the password has been changed and you have updated the tokens, you should thoroughly test to ensure your application is working as expected, and the integrations are not broken. This is very important.
If you have a dev-ops service (such as reinteractive OpsCare) who help you to manage your Heroku instance, they will be able to assist you with much of this.
Why did this come about?
In mid April it appears (and is still being investigated) that an unknown person was able to access OAuth tokens from a Heroku repository on Github. Those tokens potentially provided access to Git repositories for Heroku connected accounts.
In reality only a very small number of accounts were affected, but the potential was probably larger. The Heroku customers were notified where they might have been affected.
The stolen tokens were revoked by the Heroku team quickly, limiting the issue.
Of course the question remains, how did this occur, and more importantly, will it occur again in the future.
There does not seem to be any valid information available as to why it occurred beyond the obvious facts. As to this occurring again - I would not expect the same thing to happen again - safeguards are already in place - but it does point to an inconvenient truth; as much work as we all do to harden and strengthen our systems, platforms and applications, there will be a malicious someone working just as hard to find a loophole, way through or weak point to take advantage of. Our job, whether the service owner, manager or user is to do everything that we can to mitigate these risks.
- Ensure your software and operating systems is on the latest recommended version and patched with any relevant security updates
- Follow best practice on setting passwords and security tokens
- Don’t leave those passwords or tokens in plain text where they can be found (such as in a code base - even if this is secured in GitHub)
- 2 Factor Auth is mandatory for any of your applications
- Follow any advice on security matters after verifying it for yourself where it comes from your It team DevOps team or the software provider.
As a final word, take the obvious and clear steps to mitigate risk, but also, don’t panic. Continue to build your application, increase your client base and be as successful as you like!
If you have any further concerns or questions, you can reach out to us and we will point you in the right direction or answer your questions:
The Benefits of Ruby on Rails
Heroku Forcing Password Resets as GitHub Investigation Continues
How to Maximise your ROI with a Custom Application Built in Sa...
reinteractive is Australia’s largest dedicated Ruby on Rails development company. We don’t cut corners and we know what we are doing.
We are an organisation made up of amazing individuals and we take pride in our team. We are 100% remote work enabling us to choose the best talent no matter which part of the country they live in. reinteractive is dedicated to making it a great place for any developer to work.
Webinars are our online portal for tips, tricks and lessons learned in everything we do. Make the most of this free resource to help you become a better developer.
The Ruby on Rails Installfest includes a full setup of your development environment and step-by-step instructions on how to build your first app hosted on Heroku. Over 1,800 attendees to date and counting.
The Ruby on Rails Development Hub is a monthly event where you will get the chance to spend time with our team and others in the community to improve and hone your Ruby on Rails skills.