I'm pretty appalled that you submitted this to, arguably, one of the most-visited sites for tech news, without at least giving them time to address the problem.

This isn't a case of something small going unnoticed, resulting in a bit of a laugh and giggle. This is people's billing details, and you've just explained how to exploit the bug in complete detail.

I'm really unhappy that this sort of thing even crossed your mind :/

On one hand, I do see your point - at first glance it seems a bit unfair to ambush them like this. On the other hand, if the OP quietly submits it to Heroku and they fix it, then none of us find out. Posting about a vulnerability that has recently been fixed would not be likely to garner nearly as much attention as one that is an open issue.

This is the sort of thing that I, as a Heroku customer, really want to no about. Not because my personal information is at risk - no credit card #'s or anything are accessible - but because it changes my perspective on Heroku. This vulnerability is just plain sloppy on their part - I really though that the folks at Heroku were smarter than this.

If this leak provided access to any more sensitive data, like credit card #'s or SSN's I would 100% agree with you - notify Heroku and let them fix it first. But the only real harm I see coming from this being posted pre-fix is embarrassment for Heroku.

Did you give Heroku time to address the issue?

I've flagged this post - I think HN moderators should remove it until such time as Heroku have had time to fix the issue.

There's too much sensitive data here - it would be trivial to write a script that banked it all for later analysis.

I'm waiting for the "lessons learned from heroku invoice data" post.

I'm sympathetic with growing pains, but this kind of bug is pretty much unforgivable. If they haven't patched it today, I'll be shocked.

This is REALLY bad. You should have given them at least a day to fix it before posting it here though, this is pretty bad etiquette. I understand you're excited you discovered such a stupid mistake but everyone can just pull up my payment details by entering the correct URL now.

Jesus titty fucking Christ. Bugs are inevitable but this is a joke. What fucking developer thinks "yeah they're logged in so thats enough checking. They can't possibly guess a URL we don't show them, even though it's just an incrementing number"

What makes you think this was an intentional decision on the developer's part?

Can't reproduce. But since I use heroku only for prototyping, I never received an invoice.

I was just able to reproduce it. Users name and billing address shows up with the invoice. I can't believe they let something like this slip through...

Really? Login, go to "My Account" in the upper left, then in "Current Usage", click on $0.00 to take you to your invoice.

Ok, heroku never got my credit card info (I created this account years ago, maybe it's required today, I don't know) - seems there is no "Current Usage" section in "My Account" on an unverified billing account. That is, I don't dispute you can see other invoices with your probably complete account - just I couldn't reproduce it on mine.

You can still see them. I've never received one either.

EDIT: removing URLs because it's the right thing to do.

Click on 'current usage' in your account and it takes you to your current invoice, which is accessible via the URL that he mentions. It appears to be only the current months usage / invoice that is vulnerable.

EDIT: removing URLs because it's the right thing to do.

Yikes - so are past invoices available as well then via the show/:id url?

yikes - its true.

Why do people use Heroku? I never understood the appeal.

Oh.. because they have a good graphic designer.

Lol.

"Forget servers, instances, and VMs. Focus on processes."

If that doesn't raise some red flags for you then you get what you deserve.

Yep, $212 million in value built in an extremely short time.

Because of a good graphic designer, sure.

More likely by charging $6400/month for 68GB of RAM.

That's less then $100/GB/Month.

With low prices like that it must be hard for people to resist.