The research team at Varonis reported this week that a bug in Salesforce Communities and Einstein Activity Capture may have exposed Outlook and Google calendar events.
While Salesforce fixed the bug, Varonis security researcher Nitay Bachrach wrote on the company’s blog that companies that created their Salesforce Community before summer 2021 must remediate exposed calendar events.
Dubbed Einstein’s Wormhole by Varonis researchers, Einstein Activity Capture synchronizes emails and calendar events with Microsoft Exchange and Google accounts with Salesforce.
Einstein will attempt to find other Salesforce users to sync the event with and add it to their calendars. Until this summer, guest users were created with the Salesforce admin email address and a public event was created using guest profiles that exposed potentially sensitive information to the internet, such as emails, agendas and file attachments. With a meeting link, passwords and attendee list, an attacker could potentially join a meeting unnoticed.
Varonis details how to mitigate the bug on its blog.