0

In their communication about the april 2022 breach (summary here), Heroku states that environment variables (other than Review apps and CI variables) were safe because they are encrypted at rest.

We also wanted to address a question regarding impact to environment variables. While we confirmed that the threat actor had access to encrypted Heroku customer secrets stored in config var, the secrets are encrypted at rest and the threat actor did not access the encryption key necessary to decrypt config var secrets.

I wonder what prevents the hacker who could download them, to try many random decryption keys for the DATABASE_URL environment variable for example, until it decrypts to something that starts with postgres, and then they would have found the key. Once they have the key, they can decrypt everything else.

What am I missing here?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Vic Seedoubleyew
  • 31
  • 9
  • 1
    This is no different from brute forcing any other symmetric encryption. – defalt Jul 14 '22 at 13:41
  • @defalt thanks for the reply. This is interesting. I am no expert in encryption, and thus don't know what the consequences mean. Does that mean that it would take years of computing power to do so? Isn't there a difference in that the hacker can expect what the start of the result would be, and thus can know when they have found the key? – Vic Seedoubleyew Jul 15 '22 at 09:30
  • You are talking about a "known-plaintext attack" and encryption algorithms are designed specifically to not be vulnerable to that (and other attack types) – schroeder Jul 15 '22 at 09:34
  • 1
    @schroeder thanks a lot, I didn't know that concept. I looked it up, now I understand. I think it solves my question. Thanks a lot! – Vic Seedoubleyew Jul 18 '22 at 13:57
  • I asked another question related to this breach here: https://security.stackexchange.com/questions/263499/were-herokus-standard-git-repositories-accessible-by-april-2022-attacker If you have any idea on the matter I would be very interested – Vic Seedoubleyew Jul 22 '22 at 13:36

0 Answers0