Salesforce Communities Could Expose Business-Sensitive Information

Numerous publicly accessible Salesforce Communities are misconfigured and could expose sensitive information, says research published today.

A Salesforce Community site lets customers and partners interface with a Salesforce instance from outside an organization. For example, they can open support tickets, ask questions, manage their subscriptions and more.

According to Varonis, anonymous users can “query objects that contain sensitive information such as customer lists, support cases and employee email addresses.” The research team explains in a blog post that a “malicious actor could exploit this misconfiguration to perform recon for a spear-phishing campaign” at a minimum.

“At worst, they could steal sensitive information about the business, its operations, clients, and partners,” it goes on to say. “In some cases, a sophisticated attacker may be able to move laterally and retrieve information from other services that are integrated with the Salesforce account.”

Salesforce communities run on Salesforce’s Lightning framework — a rapid development framework for mobile and desktop sites. It is a component-oriented framework, using aura components — self-contained objects that a developer can use to create web pages. In the case of Salesforce, aura components can be used to perform actions such as viewing or updating records.

“In misconfigured sites, the attacker can perform recon by looking for information about the organization, like users, objects, and fields that expose names and email addresses and in many cases, they can infiltrate the system or steal information” explains the Varonis research team. “First, the attacker must fin ..

Support the originator by clicking the read the rest link below.