HomeCII/OTKrebs on Security Reports Public Salesforce Sites Exposing Private Data

Krebs on Security Reports Public Salesforce Sites Exposing Private Data

Published on

spot_img

Numerous organizations including banks and healthcare providers have been found to be leaking private and sensitive information from their public Salesforce Community websites due to a misconfiguration in the software. The vulnerability allows non-authenticated users to view records that should only be available after logging in. Salesforce Community is a cloud-based product for easily creating websites, with authenticated and guest user access available. While the guest access option permits unauthenticated users to view some content, it can still lead to unauthorized users accessing normally private information. 

Vermont has confirmed that it had at least five separate Salesforce Community sites misconfigured to reveal sensitive data, including a Pandemic Unemployment Assistance program that revealed the applicant’s name, address, full Social Security number, phone number, email, and bank account number details. Vermont Chief Information Security Officer Scott Carbee stated that these sites were created hurriedly in response to the coronavirus pandemic and were not subject to the standard security review process. The vulnerable sites have since been reviewed, and one more of the state’s Salesforce sites have also been discovered as misconfigured. 

Other organizations were also identified as potentially having misconfigured Salesforce pages and vulnerable to data breaches from researchers, including DC Health, Washington D.C. city administrators, Columbus-based Huntington Bank, and recently acquired TCF Bank. Huntington Bank has reportedly disabled the leaky TCF Bank Salesforce website and is still investigating the situation to determine the extent of the breach. However, researcher Charan Akiri has faced difficulty getting responses from the organizations he has attempted to notify and raise awareness of the potential vulnerability about.

The vulnerability was first exposed in August 2021 when security researcher Aaron Costello published a post detailing how misconfigurations in Salesforce Community sites could be exploited to reveal sensitive data. Salesforce has stated that these data exposures are not vulnerabilities inherent to the software but the result of customers’ access control permissions being misconfigured. The company has issued an advisory to customers from September 2022 that recommends using the Guest User Access Report Package to help review access control permissions for unauthenticated users. It also suggests adopting best practices and considering when configuring the Guest User Profile for greater data security and better security policies. Salesforce says it is actively focusing on data security for organizations with guest users and is continuously releasing “robust tools and guidance” to meet contractual and regulatory obligations. 

In conclusion, the misconfiguration of Salesforce Community websites is an ongoing issue, with more organizations being identified as potentially vulnerable. It highlights the necessity of cybersecurity reviews and strict access controls when deploying cloud-based software and creating a security protocol in the event of a data breach.

Source link

Latest articles

Attempt to Hack Russia’s Water System Aimed at Drying Up Canada

Hackers Claimed Unauthorized Access to Critical Water Systems Recently, Canada's Communications Security Establishment (CSE), akin...

Hackers Exploit Blockchain to Target Japan’s Hotels via Booking.com

Cyber Threat Actors Target Booking.com Partner Accommodations in Japan with Advanced Phishing Campaign Cyber threat...

CMA Suggests Reforms for App Store Payment Systems

The UK's Competition and Markets Authority (CMA) has taken a significant step towards reshaping...

The Necessity of Cyber Resilience in Staying Ahead of AI-Driven Threats

Former National Cyber Director Chris Inglis Calls for Coalition Defense...

More like this

Attempt to Hack Russia’s Water System Aimed at Drying Up Canada

Hackers Claimed Unauthorized Access to Critical Water Systems Recently, Canada's Communications Security Establishment (CSE), akin...

Hackers Exploit Blockchain to Target Japan’s Hotels via Booking.com

Cyber Threat Actors Target Booking.com Partner Accommodations in Japan with Advanced Phishing Campaign Cyber threat...

CMA Suggests Reforms for App Store Payment Systems

The UK's Competition and Markets Authority (CMA) has taken a significant step towards reshaping...