An application-side re-auth session bypass vulnerability has been discovered in the official Heroku API and web-application service. The vulnerability allows an attacker to request unauthorized information without the second forced re-authentication module.