Heroku provides a wonderful service. It’s a service that’s solid enough that you can really grow big on it. There are some businesses that have grown very big on Heroku, had many millions of dollars invested in them and in some cases been sold for many millions of dollars too. I love using Heroku.
It’s a bit disconcerting though that if you go to SXSW, you hang out with some eager young founder whose business is on Heroku and you borrow their phone; you can delete their website before they finish their drink.
This is a bit of a flippant post and intentionally so as I’m hoping to draw attention to the problem for Heroku and other services too. I have mentioned it to them before but it hasn’t yet got any love. It’s not only a problem with Heroku it’s just that’s where my business is so that’s what I’m concerned about.
10 steps to delete someone’s business off Heroku
1. Put down your drink
2. Ask to borrow their phone (or watch their pin and take it)
3. Go to Heroku’s reset password link
4. Enter their email and reset their password
5. Open the mail app on the phone
6. Click on the email from Heroku
7. Enter a new password
8. Go to the app > their business > settings
9. Click delete
10. Finish your drink
It’s not clear to me whether backups created using Heroku’s PGBackups service will also be synchronously deleted but if they are then what just happened was Really Bad.
2-factor doesn’t really help
This isn’t something that 2-factor authentication is going to fix. 2-factor auth is great at preventing a man-in-the-middle attack but when the attacker has your phone, they probably also have the second auth channel (Google Authenticator / SMS / keys with your RSA fob ).
What might help
Here are a few simple things that would make an attack harder:
1. Don’t delete or even deactivate an app when someone asks, set a job to do it in a few days
2. Don’t delete any database backups for longer still
3. Send that person an email every day in between telling them their app is going to be deleted
4. Let them set a second password to delete the account
5. Do multi-channel auth but do it 72 hours later, once they’ve either got their phone back or noted that it’s gone.
6. Allow a “second signatory” on the account - someone else who has to concur before you push the button
In the case of Heroku, all of the above measures would ideally need to apply to other abilities that could damage the service such as removing addons, workers, dynos etc. too.
This isn’t just Heroku’s problem, it may apply to your service
In the past you could be fairly certain that short of getting phished etc. your email was reasonably secure - if only by obscurity. You used a computer and you left it at home or at work. The computer itself probably had a login. You probably didn’t have the computer with you when you were drunk at parties.
However our email is no longer inaccessible, it’s in our pockets and we don’t log out of it, we just put a 4-digit pin on it. We give it to someone when we show them a photo or leave our phones an iPod dock at a party.
Since almost every account has a password-reset via email every account is accessible via our phone. It would be great to have some different auth patterns but in the meantime it would be good to lock down those things which matter most. One of those things for me is Heroku.