Numerous publicly accessible Salesforce Communities are misconfigured and could expose sensitive information, says research published today.
A Salesforce Community site lets customers and partners interface with a Salesforce instance from outside an organization. For example, they can open support tickets, ask questions, manage their subscriptions and more.
According to Varonis, anonymous users can “query objects that contain sensitive information such as customer lists, support cases and employee email addresses.” The research team explains in a blog post that a “malicious actor could exploit this misconfiguration to perform recon for a spear-phishing campaign” at a minimum.
“At worst, they could steal sensitive information about the business, its operations, clients, and partners,” it goes on to say. “In some cases, a sophisticated attacker may be able to move laterally and retrieve information from other services that are integrated with the Salesforce account.”
Salesforce communities run on Salesforce’s Lightning framework — a rapid development framework for mobile and desktop sites. It is a component-oriented framework, using aura components — self-contained objects that a developer can use to create web pages. In the case of Salesforce, aura components can be used to perform actions such as viewing or updating records.
“In misconfigured sites, the attacker can perform recon by looking for information about the organization, like users, objects, and fields that expose names and email addresses and in many cases, they can infiltrate the system or steal information” explains the Varonis research team. “First, the attacker must find a community site to exploit.”
The researchers go on to explain that “there are common URL “fingerprints” that will indicate a website is powered by Salesforce Communities” such “/s/topic,” “/s/article” and “/s/contactsupport.” The attacker will then retrieve information about the site by returning the organization’s domain and some security settings and available objects.
According to the research team, Salesforce admins can take the following steps to protect themselves from attackers:
- Ensure guest profile permissions don’t expose things that shouldn’t be exposed such as account records, employee calendars, etc.
- Disable API access for guest profiles.
- Set the default owner for records created by guest users.
- Enable secure guest user access.
This finding shows that security teams need to access their SaaS exposure continually, says the research team.