Salesforce sites leaking data is something researchers have warned about before. However, cybersecurity researchers have discovered Salesforce sites leaking data in hitherto unseen proportions.
Numerous organizations, including banks and healthcare providers, have been found to be leaking private and sensitive information from their public Salesforce Community websites, said a KrebsOnSecurity report citing researcher Charan Akiri.
According to the report, the data exposures stem from a misconfiguration in Salesforce Community that allows an unauthenticated user to access records that should only be available after logging in.
Customers can access a Salesforce Community website in two ways: Authenticated access, requiring login, and guest user access, which does not require login. The guest access feature allows unauthenticated users to view specific content and resources without needing to log in.
However, sometimes Salesforce administrators mistakenly grant guest users access to internal resources, which can cause unauthorized users to access an organization’s private information and lead to potential data leaks.
On being alerted about Salesforce sites leaking data, the company told KrebsOnSecurity that the data exposures are not the result of a vulnerability inherent to the Salesforce platform but rather can occur when customers’ access control permissions are misconfigured.
Salesforce Sites Leaking Data: Spotted earlier
This issue of Salesforce sites leaking data was brought to the forefront in August 2021 when security researcher Aaron Costello published a blog post explaining how misconfigurations in Salesforce Community sites could be exploited to reveal sensitive data.
In October 2021, cybersecurity firm Varonis warned about the potential security threats from misconfigured Salesforce Community.
This security vulnerability could allow anonymous users to query objects that contain sensitive information such as customer lists, support cases, and employee email addresses, said the Varonis report.
Recently, researcher Charan Akiri found numerous other organizations running misconfigured Salesforce pages. He wrote a program that identified hundreds of such organizations but has had difficulty getting responses from most of the organizations he has notified to date.
In January and February 2023, he contacted government organizations and several companies but did not receive any response from these organizations. Akiri reached out to several CISOs on LinkedIn and Twitter to address the issue further, resulting in five companies eventually fixing the problem. However, no response was received from government organizations.
Akiri notified Washington D.C. city administrators on Monday that at least five different public DC Health websites were leaking sensitive information.
One DC Health Salesforce Community website designed for health professionals seeking to renew licenses with the city leaked documents that included the applicant’s full name, address, Social Security number, date of birth, license number and expiration, and more.
Akiri had notified the Washington D.C. government of his findings in February but received no response, said the report.
Salesforce Sites Leaking Data: Incident verified
KrebsOnSecurity used Akiri’s findings to notify Columbus, Ohio-based Huntington Bank that its recently acquired TCF Bank had a Salesforce Community website that was leaking documents related to commercial loans.
The leak exposed sensitive data, including name, address, full Social Security number, title, federal ID, IP address, average monthly payroll, and loan amount.
Until being contacted by KrebsOnSecurity, the state of Vermont had at least five separate Salesforce Community sites that allowed guest access to sensitive data, including a Pandemic Unemployment Assistance program that exposed the applicant’s full name, Social Security number, address, phone number, email, and bank account number.
Vermont’s Chief Information Security Officer Scott Carbee told KrebsOnSecurity his security teams have been conducting a full review of their Salesforce Community sites and found one additional Salesforce site operated by the state that was also misconfigured to allow guest access to sensitive information.
Carbee stated that the vulnerable sites were all created rapidly in response to the Coronavirus pandemic and were not subjected to their normal security review process.
In response, Salesforce recommended utilizing the Guest User Access Report Package to assist in reviewing access control permissions for unauthenticated users.
Additionally, they suggested reviewing the following Help article, Best Practices and Considerations When Configuring the Guest User Profile.