Numerous organizations including banks and healthcare providers have been found to be leaking private and sensitive information from their public Salesforce Community websites due to a misconfiguration in the software. The vulnerability allows non-authenticated users to view records that should only be available after logging in. Salesforce Community is a cloud-based product for easily creating websites, with authenticated and guest user access available. While the guest access option permits unauthenticated users to view some content, it can still lead to unauthorized users accessing normally private information.
Vermont has confirmed that it had at least five separate Salesforce Community sites misconfigured to reveal sensitive data, including a Pandemic Unemployment Assistance program that revealed the applicant’s name, address, full Social Security number, phone number, email, and bank account number details. Vermont Chief Information Security Officer Scott Carbee stated that these sites were created hurriedly in response to the coronavirus pandemic and were not subject to the standard security review process. The vulnerable sites have since been reviewed, and one more of the state’s Salesforce sites have also been discovered as misconfigured.
Other organizations were also identified as potentially having misconfigured Salesforce pages and vulnerable to data breaches from researchers, including DC Health, Washington D.C. city administrators, Columbus-based Huntington Bank, and recently acquired TCF Bank. Huntington Bank has reportedly disabled the leaky TCF Bank Salesforce website and is still investigating the situation to determine the extent of the breach. However, researcher Charan Akiri has faced difficulty getting responses from the organizations he has attempted to notify and raise awareness of the potential vulnerability about.
The vulnerability was first exposed in August 2021 when security researcher Aaron Costello published a post detailing how misconfigurations in Salesforce Community sites could be exploited to reveal sensitive data. Salesforce has stated that these data exposures are not vulnerabilities inherent to the software but the result of customers’ access control permissions being misconfigured. The company has issued an advisory to customers from September 2022 that recommends using the Guest User Access Report Package to help review access control permissions for unauthenticated users. It also suggests adopting best practices and considering when configuring the Guest User Profile for greater data security and better security policies. Salesforce says it is actively focusing on data security for organizations with guest users and is continuously releasing “robust tools and guidance” to meet contractual and regulatory obligations.
In conclusion, the misconfiguration of Salesforce Community websites is an ongoing issue, with more organizations being identified as potentially vulnerable. It highlights the necessity of cybersecurity reviews and strict access controls when deploying cloud-based software and creating a security protocol in the event of a data breach.