Threat actors could gain access to improperly deactivated or unmaintained Salesforce sites by changing the host header, thereby gaining access to sensitive personal and business data.
In a Wednesday blog post by Varonis Threat Labs, researcher Nitay Bachrach wrote so-called “ghost sites” are Salesforce communities that are no longer being used. The abandoned sites were originally designed to allow partners and customers to collaborate within a company’s Salesforce environment. Ghost sites are simply forgotten or unused collaborative sites that instead of being deactivated create a liability, researchers said.
However, the Salesforce sites still pull new data and can be easily found on the public internet and can be exploited by attackers.
“Because these unused sites are not maintained, they aren’t tested against vulnerabilities, and admins fail to update the site’s security measures according to newer guidelines,” Bachrach, the author of the Varonis post, wrote.
Ghost sites start when custom domain names are created and point to the Salesforce Community Site by configuring the DNS record. Risk is introduced when companies move to a different vendor, Bachrach explained. Varonis Threat Labs researchers discovered, many companies only changed the DNS records and did not remove the custom domain or deactivate the Salesforce Site.
Since the Salesforce site is still active, attackers can access them by simply changing the host header. Tools that index and archive DNS records, such as SecurityTrails, make identifying ghost sites easier for attackers, Bachrach noted.
“Our research found many such sites with confidential data, including PII and sensitive business data that were not otherwise accessible,” he wrote. “The exposed data is not restricted to only old data from when the site was in use; it also includes new records that were shared with the guest user due to the sharing configuration in their Salesforce environment.”
To avoid the issue, Varonis researchers said that Salesforce Communities should be deactivated.