[cduruk]

The discoverer of the vulnerability also wrote a blog post about it.

Blog post: http://daverecycles.com/post/2858880862/heroku-hacked-dissec...

HN Discussion: http://news.ycombinator.com/item?id=2128175

Disclaimer: I know David E. Chen personally from college.