Beginning in July and lasting for at least a month, a Salesforce subdomain used for blogging was affected by a reflected cross-site scripting (XSS) vulnerability that could have been exploited by attackers to distribute malware and carry out phishing attacks.
In a Wednesday blog post, Aditya Sood, lead architect of Elastica Cloud Threat Labs, wrote that the vulnerability was in the “admin.salesforce.com” subdomain, and he told SCMagazine.com in a Thursday email correspondence that the bug was reported to Salesforce on July 6 and addressed on Aug. 9.
“This subdomain was vulnerable to a reflected [XSS] vulnerability where a specific function in the deployed application failed to sanitize and filter the arbitrary input passed by the remote user as a part of an HTTP request,” Sood wrote. “As a result, the attacker could have executed JavaScript in the context of the application, thereby impacting the privacy and security of Salesforce users.”
Although Salesforce told Elastica that the vulnerability is considered low impact due to it not affecting the primary Salesforce domain, Sood said that there is more to the issue and that these types of bugs “should not be taken lightly.”
In the post, he demonstrated how the flaw could have been exploited to stage some fairly advanced phishing attacks involving fake login pop-up windows – thus putting usernames and passwords at risk. The theft of credentials is made worse because Salesforce, Sood said, has implemented single sign-on (SSO).
“The users primarily have only one set of credentials which is mainly Salesforce SSO,” Sood said. “So one can imagine that if those accounts are compromised then attackers could gain access to all the applications used by the Salesforce users.”
Sood said that the vulnerability can also enable distribution of malware via drive-by attack.
“Before it was patched, an attacker had the capability to inject JavaScripts from a third-party domain to easily distribute URLs containing embedded JavaScripts through phishing attacks,” Sood said. “If users were to open such a link the JavaScripts would get executed in their browsers and malware could then be downloaded to the end-users' systems.”
