How can Salesforce community sites be exploited for data theft, by unauthenticated actors?
Security firm Varonis has shared research on how Salesforce Communities instances can be exploited for data theft and reconnaissance activities by threat actors, due to a misconfiguration flaw.
In the best-case scenario, a threat actor could exploit the flaw to gather information on a target as a part of their reconnaissance activities, or to conduct spear-phishing campaigns.
In extreme cases, sensitive information about businesses, their operators, clients, or partners may be obtained.
Unauthenticated attackers can peek into API endpoint responses
A Salesforce Community site enables customers and partners based outside of your organization to interact with your Salesforce instance.
They can perform a wide range of tasks such as opening new support tickets, asking questions, and managing subscriptions.
“Communities are public-facing and, by default, indexed by Google. While this is useful for customers and partners, it makes it easy for attackers who discover a vulnerability or misconfiguration to scan for and abuse communities at scale,” says Varonis security researcher Nitay Bachrach in a report published this week.
The Salesforce Community API has “aura” endpoints, which implement the Lightning Framework, such as:
/s/sfsites/aura
“The browser uses the aura endpoint to retrieve information about the site and perform server-side actions as the user interacts with the community site. Naturally, the user’s permissions apply to these actions,” explains Bachrach.
Varonis claims that they have discovered numerous such publicly accessible misconfigured Salesforce community sites that may be exposing sensitive information.
A simple Google search like the following can be narrowed further by adding additional terms and arriving at Salesforce Community instances that may be misconfigured and potentially vulnerable:
Adversaries can gather information about the organization, its users, email addresses, or worse, steal valuable information ins some cases. And, all of this, without requiring any authentication!
Varonis states they have contacted Salesforce with their findings and that the company is in the process of updating apps, to make them more secure—by making it difficult for admins to accidentally expose information.
Security Report reached out to Salesforce for comment well in advance of publishing but did not hear back.
About the author
