Salesforce, a prominent cloud-based software company, is facing a new security flaw that could put the sensitive data of its clients at risk. A recent report by Varonis Threat Labs highlights the dangers posed by Salesforce “ghost sites”, which are created by companies when they use custom domain names instead of unappealing internal URLs for Salesforce Communities sites so that partners can browse them.
Ghost sites are no longer required or tested for vulnerabilities, and administrators fail to update their security according to newer guidelines, making them vulnerable to malicious actors. Attackers can gain access to these sites by simply changing the host header, allowing them to extract sensitive business data and personally identifiable information (PII).
According to Varonis, these ghost sites are created when companies modify the DNS record, enabling their partners to browse the Salesforce Community site. When companies choose to substitute it with an alternative, they simply modify the DNS, without removing the custom domain in Salesforce or deactivating the site. This leaves the site to exist and pull data, making it a so-called “ghost site”.
Many ghost sites remain active and are easily exploitable by attackers as the siteforce domain still resolves, making it available under the right circumstances. Attackers can easily trick Salesforce into believing that they have accessed a site correctly, leading to the exploitation of sensitive data.
Varonis warns that ghost sites can also be identified using tools that index and archive DNS records. The older and obsolete sites are less maintained, and their data can be easily accessed, increasing the ease of the attacker’s exploitation.
Varonis researchers carried out a vulnerability assessment and found that many inactive sites had confidential data, including PII that was not otherwise accessible. Companies that have ghost sites should deactivate them immediately, according to the report.
The report comes after a recent study by Okta, which warned that inactive and non-maintained accounts also pose a serious security risk to businesses. Attackers can exploit information stolen from these accounts to exploit active accounts.
Security experts advise businesses to conduct a thorough audit of their Salesforce Community sites and their respective user permissions regularly. They must also deactivate or maintain and update their sites regularly to avoid exploitation from malicious actors.
Meanwhile, Google has updated its inactivity policy for Google Accounts to two years (on security grounds), meaning that if a personal account has not been used or signed into for at least two years, it may delete the account and its contents. Abandoned accounts are more vulnerable to compromise, as they typically rely on password reuse and have a weaker security setting.
In conclusion, cloud-based services are continuously evolving and security updates are essential for businesses to protect their sensitive data and their clients. Varonis recommends that companies should promptly update their security practice, including the immediate deactivation of ghost sites, to avoid exposing sensitive information to third-party hackers.