A Salesforce misconfiguration can expose sensitive data, warns Varonis.
The data security and analytics firm has issued a warning this week about a Salesforce flaw that can expose sensitive data to anyone on the internet.
In some cases, an attacker can move laterally and retrieve information from other services integrated with the Salesforce account as well as information about a business, its operations, clients, and partners.
"At a minimum, a malicious actor could exploit this misconfiguration to perform recon for a spear-phishing campaign," says Varonis researcher Nitay Bachrach.
"At worst, they could steal sensitive information about a business, its operations, clients, and partners. In some cases, a sophisticated attacker could be able to move laterally and retrieve information from other services integrated with the Salesforce account."
The issue lies within the Salesforce Community, which lets Salesforce customers create their own websites to connect with users outside their organisation and collaborate. Communities can feature all sorts of functionality, like Q-A, forums, a partner portal, and more. Communities can also allow anonymous users to query objects -- such as customer lists, support cases, employee email addresses, and more -- containing sensitive information.
While researchers reported the issue to Salesforce last year, there are still countless organisations exposed. Since Salesforce has more than 150,000 customers worldwide, and 90% of the Fortune 500 are Salesforce customers, Varonis warns that thousands of companies could be vulnerable.
The Varonis threat update details new angles to the attack that have not been published. Varonis disclosed its findings to Salesforce, which said it is working on updates to their app to make it harder for admins to expose information accidentally.
Varonis wrote a scanner utility to find exposed communities. The tool, which is not being publicly released because it could make it easy for malicious actors to zero in on vulnerable organisations.
"This isn't the first time -- and won't be the last time -- a SaaS configuration issue can create a serious security incident," Bachrach says.
"IT and security teams must remain vigilant and continually assess their SaaS exposure."
Varonis published its findings this week that explained how an attacker can exploit the misconfiguration. It also gave Salesforce admins detailed steps to mitigate the issue:
- Ensure your guest profile permissions don't expose things you don't want exposed, like account records, employee calendars, etc.
- Disable API access for your guest profile
- Set the default owner for records created by guest users
- Enable secure guest user access