Script injection vulnerability leaves Salesforce users open to phishing attacks
A script injection vulnerability in the popular Salesforce cloud CRM system could have left users open to attack from phishing emails that appear to come from within a trusted domain.
Cloud application security specialist Elastica has released details of the vulnerability -- disclosed to Salesforce in early July -- which opened the door for attackers to use a trusted Salesforce application as a platform to conduct phishing attacks to steal end-users' login credentials and hijack accounts.
Though it was considered to be a low-impact threat because it existed in a sub-domain rather than the main Salesforce domain, Salesforce patched the vulnerability on August 10, a finding validated by Elastica researchers.
"Exploitation of XSS vulnerabilities is among the most prolific methods of Web application hacking today," says Dr. Aditya K Sood, lead architect of Elastica Cloud Threat Labs. "Although this particular flaw was only present in a Salesforce subdomain, exploiting the trust of the company's primary domain could have allowed attackers to easily implement phishing attacks to gain access to user credentials. With stolen credentials, attackers can then access users' accounts and exfiltrate sensitive data undetected for long periods of time".
You can find a detailed analysis of the flaw and how it could be exploited on the Elastica blog.