Salesforce misconfiguration can expose sensitive data
Researchers at Varonis are warning about a Salesforce misconfiguration that can expose sensitive data to anyone on the internet.
The issue is in the Salesforce Community, which lets Salesforce customers create their own websites to connect with users outside their organization and collaborate.
Communities can feature all sorts of functionality, like Q&As, forums, a partner portal, and more. Communities can also allow anonymous users to query objects -- such as customer lists, support cases, employee email addresses, and more -- containing sensitive information.
Varonis researcher Nitay Bachrach says, "At a minimum, a malicious actor could exploit this misconfiguration to perform recon for a spear-phishing campaign. At worst, they could steal sensitive information about a business, its operations, clients, and partners. In some cases, a sophisticated attacker could be able to move laterally and retrieve information from other services integrated with the Salesforce account."
Varonis has reported the issue to Salesforce but there are likely to be many businesses still exposed as Salesforce has more than 150,000 companies around the globe. Salesforce says it's working on updates to its app to make it harder for admins to expose information accidentally.
Bachrach adds, "This isn't the first time -- and won't be the last time -- a SaaS configuration issue can create a serious security incident. IT and security teams must remain vigilant and continually assess their SaaS exposure."
Salesforce admins are advised to ensure guest profile permissions don't expose things they don't want exposed, like account records and employee calendars, disable API access for guest profiles, set the default owner for records created by guest users, and enable secure guest user access.
Varonis has written a scanner utility to find exposed communities -- which is not being publicly released because it could make life easy for malicious actors -- but companies who think they are affected can get help from the Varonis team.
Photo Credit: Den Rise/Shutterstock