Heroku Bug Bounty 2015 (API) - Re Auth Session Token Bypass Vulnerability

Heroku Bug Bounty 2015 (API) - Re Auth Session Token Bypass Web Vulnerability

An application-side re-auth session bypass vulnerability has been discovered in the official heroku API & web-application service. The vulnerability allows an attacker to request unauthorized information without the second forced re authentication module.

The heroku web-service provides to all web services an expire session function that disallows to visit the page without re authentication. The dataclips page session of the editor and the postgres service allows to add for example new context. If the session expires in the main heroku web-service the user will be forced to login again. 

During the tests we releaved that the session of the dataclip service and editor is available even if the re-authentication service is still running. If the local attacker changes the path manually to request directly the stored context in the profile (like shown in video) he is able to bypass the security mechanism to add or request the database name.

The session validation mechnism needs to provoke a refresh of the progres datasheet page or the dataclips add through editor to prevent unauthorized access after a session has been expired during the usage of the heroku service.

The local re auth bypass vulnerability can be exploited by local attackers with low privilege web-application user account or by remote attackers without privlege web-application account and high user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the re-auth bypass vulnerability ...

1. Register a webpage account at the official heroku website
2. Provoke the re-auth function that pops up after several profile interaction during the time after the session expired
3. When the session is expired to do not press the re-auth function button that popup stable to all service
4. Switch back to the postgres.heroku service and add dataclips or own databases even if the session is expired to all other modules and sites
Note: Even if all session are expired the user is able to request the database and the dataclips in the service without authorization
5. Successful reproduce of the session vulnerability!

The security researchers of the vulnerability laboratory demonstrated the issue by a security video. The video demonstrates the vulnerability in the re-auth function of the heroku service which affects only the heroku service with the dataclips and databases. The session expired values also needs to be recognized in the database service and the site validation request to prevent access without re-auth to heroku itself.

Video: http://www.vulnerability-lab.com/get_content.php?id=1336

Advisory: http://www.vulnerability-lab.com/get_content.php?id=1323