A growing problem with Salesforce security that’s lacking awareness but is now too big to ignore.
KrebsOnSecurity is a security news and investigation site headed by Brian Krebs. Brian is considered an authority on investigative reporting related to internet security and cybercrime. One of Brian’s key traits is his ability to find emerging issues and conduct in-depth investigations that uncover real problems before they become mainstream. This is why when he reports, security professionals listen.
Misconfigured Access Controls Lead to Data Leakage
In their latest piece on Salesforce sites leaking private data, KrebsOnSecurity has found “a shocking number of organizations” are experiencing data leakage from their public Salesforce Community sites.
The data leaks were happening because guest access users (no login required) were mistakenly given access to internal resources and private information. These misconfigurations led to critical leakage of very sensitive data. Large organizations, like the State of Vermont and Huntington Banks, had this vulnerability.
Brian’s reporting on this topic is a must-read for every Salesforce user as it highlights a problem many of them have but not many address.
Configuration is Not the Only Problem
While guest user access in Salesforce is portrayed as a configuration management problem, it is only part of the picture. Salesforce allows custom code to be deployed in Salesforce Community sites which can lead to common vulnerabilities like data leakage and injections attacks, to name a few.
Taking only a configuration-based approach to this problem will not solve for the full spectrum of issues that come with Salesforce Community sites. Code analysis and config analysis is needed. This is why DigitSec is a must have if you are using Salesforce Community or Salesforce Experience clouds.
Salesforce Security Expert Opinions on the Issue
Misconfigured settings and access controls is an issue we’ve seen plague many businesses using Salesforce. Almost every scan we’ve ever conducted has surfaced high and/or critical issues related to user access misconfigurations.
In one of our Salesforce Security Blind Spots session, it’s stated that one of the top reasons for data leakage in Salesforce is over-provisioned users. This is exactly what happened to the state of Vermont and Huntington Bank. It’s critical for companies to continually review permission attributes for user AND guest privileges.
In another Blind Spots session with guest Rachel Beard, Distinguished Security Technical Architect at Salesforce, she stated that the human component accounts for 85-90% of attacks. To prevent human error, correctly configured access controls, roles, and permissions need to be in place.
These security experts all agree that the principle of “least privilege” should be implemented in any situation. Adopting this principle and having the right tools to find issues proactively can help companies avoid data leakage. Scans that can run with each release and on a regular schedule can alert teams and organizations to misconfigurations very early in their development pipeline.
We at DigitSec have been helping companies fight data leakage and this article confirms there are still so many companies that can use our help.
Ignoring Security is Not The Answer
Charan Akiri is the security researcher that alerted KrebsOnSecurity about the leaks. Charan wrote a program that “identified hundreds of other organizations running misconfigured Salesforce pages.” He then contacted these companies and government organizations but received no response. Only after reaching out to multiple CISO’s through social media did some eventually fix the problem. But the government organizations remained silent.
KrebsOnSecurity did eventually get an initial response from Washington D.C. when they presented the District with the findings. Their response being they hired a third-party investigator who confirmed the District’s IT systems were not vulnerable.
Unfortunately, that was not the case and only after being presented with the actual leaked documents did the District’s interim CISO admit oversights had been made.
This is a “problem within the problem” that’s also highlighted in one of our sessions. Many companies tend to put their “head in the sand” when it comes to security. This happens because organizations think Salesforce is secure so they don’t need to secure it further. The reality is that Salesforce is responsible for out-of-the-box security. Any changes past that – and any resulting security implications from those changes – are the responsibility of the user.
The right tools should include ones like DigitSec that can scan and test for issues before they lead to data leakage. Our purpose as a company is to help protect our customers from this problem – A problem that is tangible, growing, and needs to be addressed by every company using Salesforce.
How Companies Can Enhance Salesforce Security and Avoid Leaking Data
There are many actions a company can take to avoid data leakage. First and foremost, they need to understand that they are responsible for any risk they create, which begins the moment they customize the platform.
Second, companies should educate themselves with guidance from Salesforce. Notable links from Salesforce found in KerbsOnSecurity’s article include:
- Guest User Access Report
- Control Which Users Experience Cloud Site Users Can See
- Best Practices and Considerations When Configuring the Guest User Profile
Lastly, companies should invest in tools like DigitSec to help them surface security issues and remain aware of their security posture at all times. A truly secure Salesforce environment can only be achieved through constant vigilance, which can be delivered with the right tools and processes.
