Script injection vulnerability leaves Salesforce users open to phishing attacks
A script injection vulnerability in the popular Salesforce cloud CRM system could have left users open to attack from phishing emails that appear to come from within a trusted domain.
Cloud application security specialist Elastica has released details of the vulnerability -- disclosed to Salesforce in early July -- which opened the door for attackers to use a trusted Salesforce application as a platform to conduct phishing attacks to steal end-users' login credentials and hijack accounts.
Though it was considered to be a low-impact threat because it existed in a sub-domain rather than the main Salesforce domain, Salesforce patched the vulnerability on August 10, a finding validated by Elastica researchers.
The flaw enabled attackers to execute JavaScript to steal cookies and session identifiers, which could have led to a potential Salesforce account takeover depending on Same Origin Policy (SOP). They could also force Salesforce users to visit phishing sites to potentially extract credentials via social engineering tricks. Attackers could also have injected pop-up windows to facilitate phishing attacks or forced users to download malicious code on their machines by executing unauthorized scripts in the context of the browser running a vulnerable application.
"Exploitation of XSS vulnerabilities is among the most prolific methods of Web application hacking today," says Dr. Aditya K Sood, lead architect of Elastica Cloud Threat Labs. "Although this particular flaw was only present in a Salesforce subdomain, exploiting the trust of the company's primary domain could have allowed attackers to easily implement phishing attacks to gain access to user credentials. With stolen credentials, attackers can then access users' accounts and exfiltrate sensitive data undetected for long periods of time".
You can find a detailed analysis of the flaw and how it could be exploited on the Elastica blog.
Photo Credit: Ivelin Radkov/Shutterstock