Researchers on Tuesday said they have discovered publicly accessible Salesforce Communities that are misconfigured and potentially expose sensitive information about companies, their operations, clients, and partners.
In a blog post, Varonis researchers said a malicious actor could exploit these misconfigurations to perform reconnaissance for a spear-phishing campaign. A sophisticated attacker could also move laterally and retrieve information from other services that are integrated with the Salesforce account.
According to the researchers, a Salesforce Community site lets customers and partners interface with a Salesforce instance from outside an organization — they can open support tickets, ask questions, and manage their subscriptions. The communities are public-facing and indexed by Google. While that’s useful to customers and partners, Varonis said this makes it easier for attackers who discover a vulnerability or misconfiguration to scan for and launch an attack.
The blog post explains how an attacker can exploit the misconfiguration and gives Salesforce administrators detailed steps on how to protect against such attacks.
Enterprise IT teams often overlook Salesforce security because Salesforce adoption grows organically, said Michael Isbitski, technical evangelist at Salt Security. Isbitski said IT and security teams are not always aware that employees are using Salesforce because business teams procure licenses ad hoc.
“The common perspective on Salesforce is that it’s used primarily for Salesforce automation and customer relationship management, but the platform capabilities are much more expansive, including services like Salesforce Communities,” Isbitski said. “Salesforce has acquired several companies over the years to flesh out its portfolio, in addition to what the company built itself. The capabilities don’t all use a unified technology stack, though, which results in additional misconfiguration and operational complexity. Salesforce can also be used as a custom application development platform with Salesforce Lightning or Heroku. This greatly expands the attack surface for organizations, and the risk of misconfiguration or vulnerable custom code is greatly elevated.”
Brendan O’Connor, co-founder and CEO at AppOmni, pointed out that his team had posted research late last year on how attackers can exploit a misconfigured Salesforce Community.
“Since the complexity of cloud and SaaS environments — and the associated security configurations — will only continue to increase, companies will need to use automated tools to ensure that their security settings match their business intent, and to continuously monitor security controls to prevent configuration drift,” O’Connor said. “As the number of cloud and SaaS applications used by enterprises increases, this task is becoming nearly impossible for teams to adequately maintain manually over time, and often requires an ever-increasing amount of time and resources. By embracing new tools that automate traditionally manual tasks, such as configuration audits, teams can potentially become much more efficient, giving them the ability to cover additional platforms, and ensuring that their cloud environments are secure across all access points.”
