Varonis says this is not the first time nor the last time a SaaS configuration will create a potential security incident. Varonis stresses the need for security teams to continually assess their SaaS exposure.
Varonis researcher Nitay Bachrach details how the misconfiguration works.
"At a minimum, a malicious actor could exploit this misconfiguration to perform recon for a spear-phishing campaign. At worst, they could steal sensitive information about a business, its operations, clients, and partners,” explains Bachrach. “In some cases, a sophisticated attacker could be able to move laterally and retrieve information from other services integrated with the Salesforce account."
Varonis says the issue lies within the Salesforce community, which lets its customers create their own websites to connect with users outside their organisation and collaborate.
Communities can feature different functionalities like Q&A, forums, and a partner portal.
Communities can also allow anonymous users to query objects—such as customer lists, support cases, employee email addresses, which may contain sensitive information.
Communities are public-facing and, by default, indexed by Google. Varonis notes that while this is useful for customers and partners, attackers can exploit this and discover a vulnerability or misconfiguration to scan for and abuse communities at scale.
Salesforce is highly-customisable and can be difficult to administer. No two Salesforce instances are the same, with hundreds of third-party apps, custom objects, and configurations.
A misconfigured Salesforce community may lead to sensitive Salesforce data being exposed to anyone on the internet.
The Varonis threat update details new angles to the attack that have not been published. Varonis then disclosed their findings to Salesforce, which said it is working on updates to their app to make it harder for admins to expose information accidentally.
While Varonis researchers reported the issue to Salesforce last year, there are still countless organisations exposed.
Since Salesforce has more than 150,000 customers worldwide, and 90% of the Fortune 500 are Salesforce customers, Varonis warns that thousands of companies could be vulnerable.
Varonis has since created a scanner utility to find exposed communities.
Varonis says the tool will not be released because it could make it easy for malicious actors to zero in on vulnerable organisations.
Companies can reach out to the Varonis team via the form here if they wish to access to tool.
Varonis has also released a full-length guide, which explains how an attacker can exploit the misconfiguration and gives Salesforce admins detailed steps to:
Ensure guest profile permissions don’t expose things you don’t want to be exposed (account records, employee calendars, etc.)
Disable API access for your guest profile
Set the default owner for records created by guest users
Enable secure guest user access