Varonis reported that its research team uncovered a series of publicly accessible Salesforce Communities that are “misconfigured” and can potentially “expose sensitive information.” Researchers indicated that the oversight potentially exposes confidential data to “anyone on the internet,” allowing one to query objects that contain info such as customer lists, support cases and employer email addresses.
According to Varonis, this issue with SaaS (Software-as-a-Service) configuration underscores the need for security teams to “continually assess their SaaS exposure.” Ramifications could include exploitation to perform reconnaissance for spear-phishing campaigns, data theft and infiltration of sensitive business, operations and partner data. In some cases, Varonis noted, an attacker may also be able to move laterally and retrieve information from other services that are integrated with the Salesforce account.
Recommendations include:
- Checking that guest profile permissions do not expose account records, employee calendars or other types of information.
- Disabling API access for guest profiles.
- Setting a default owner for guest profiles.
- Promoting secure guest-user access.
Additional details are available via the Varonis website.