Title: Square Hoptoad Notifier v2.4.8 Ruby Gem API Key exposure
Date: 4/15/2014
Author: Larry W. Cashdollar

Description: "Send your application errors to our hosted service and reclaim your inbox."

Download: http://rubygems.org/gems/square-hoptoad_notifier

Vulnerability: Line 23 exposes thei Heroku API key to the process table via the heroku command being passed to the shell.

In square-hoptoad_notifier-2.4.8/lib/hoptoad_notifier/shared_tasks.rb: 22

 23       command = %Q(heroku addons:add deployhooks:http url="http://hoptoadapp.com/deploys.txt?deploy[rails_env]={heroku_rails_env}&api_key={heroku_api_key}")
 24 
 25       puts "\nRunning:\n{command}\n"
 26       puts `{command}`

Vendor Notified: 4/15/2014

Advisory: http://www.vapid.dhs.org/advisories/hotpad-notifier-api.html