Salesforce misconfiguration could affect thousands, cybersecurity firm claims
Varonis says it has found a 'misconfiguration' in Salesforce's community offering
Cybersecurity firm Varonis claims to have found a misconfiguration in Salesforce's community offering, which it warns could allow hackers to steal data sensitive to businesses.
Salesforce communities are web pages which enable businesses to connect with employees, partners, customers and others outside of their organisation to collaborate and share information - including through features like Q&As, partner portals and forums.
Varonis says the "misconfiguration" can "expose sensitive data to anyone on the internet" and warns that thousands of customers could be vulnerable.
But in response, Salesforce said: "The issue described is not the result of a vulnerability inherent to the Salesforce platform, but can occur when customers misconfigure access control permissions.
"At Salesforce, trust is our number one value, and we take the protection of our customers' data very seriously."
"At a minimum, a malicious actor could exploit this misconfiguration to perform recon for a spear-phishing campaign," Varonis researcher Nitay Bachrach said.
"At worst, they could steal sensitive information about a business, its operations, clients, and partners. In some cases, a sophisticated attacker could be able to move laterally and retrieve information from other services integrated with the Salesforce account."
Varonis claims to have found "numerous publicly accessible Salesforce communities that are misconfigured and expose sensitive information".
Hackers can "perform recon" in misconfigured sites "by looking for information about the organisation, like users, objects, and fields that expose names and email addresses, and in many cases, they can infiltrate the system or steal information", it says.
The firm also claims these public communities "allow anonymous users to query objects such as customer lists, support cases, employee email addresses, and more, containing sensitive information."
Varonis says it has disclosed the findings to Salesforce and that the company it is working on updates to the app to make it harder for admins to expose information accidentally.