https://krebsonsecurity.com/2023/04/many-public-salesforce-sites-are-leaking-private-data/ Advertisement [1] Advertisement [2] Krebs on Security Skip to content * Home * About the Author * Advertising/Speaking Many Public Salesforce Sites are Leaking Private Data April 27, 2023 21 Comments A shocking number of organizations -- including banks and healthcare providers -- are leaking private and sensitive information from their public Salesforce Community websites, KrebsOnSecurity has learned. The data exposures all stem from a misconfiguration in Salesforce Community that allows an unauthenticated user to access records that should only be available after logging in. [dchealth-sf] A researcher found DC Health had five Salesforce Community sites exposing data. Salesforce Community is a widely-used cloud-based software product that makes it easy for organizations to quickly create websites. Customers can access a Salesforce Community website in two ways: Authenticated access (requiring login), and guest user access (no login required). The guest access feature allows unauthenticated users to view specific content and resources without needing to log in. However, sometimes Salesforce administrators mistakenly grant guest users access to internal resources, which can cause unauthorized users to access an organization's private information and lead to potential data leaks. Until being contacted by this reporter on Monday, the state of Vermont had at least five separate Salesforce Community sites that allowed guest access to sensitive data, including a Pandemic Unemployment Assistance program that exposed the applicant's full name, Social Security number, address, phone number, email, and bank account number. [vermont-salesforce] This misconfigured Salesforce Community site from the state of Vermont was leaking pandemic assistance loan application data, including names, SSNs, email address and bank account information. Vermont's Chief Information Security Officer Scott Carbee said his security teams have been conducting a full review of their Salesforce Community sites, and already found one additional Salesforce site operated by the state that was also misconfigured to allow guest access to sensitive information. "My team is frustrated by the permissive nature of the platform," Carbee said. Carbee said the vulnerable sites were all created rapidly in response to the Coronavirus pandemic, and were not subjected to their normal security review process. "During the pandemic, we were largely standing up tons of applications, and let's just say a lot of them didn't have the full benefit of our dev/ops process," Carbee said. "In our case, we didn't have any native Salesforce developers when we had to suddenly stand up all these sites." Earlier this week, KrebsOnSecurity notified Columbus, Ohio-based Huntington Bank that its recently acquired TCF Bank had a Salesforce Community website that was leaking documents related to commercial loans. The data fields in those loan applications included name, address, full Social Security number, title, federal ID, IP address, average monthly payroll, and loan amount. Huntington Bank has disabled the leaky TCF Bank Salesforce website. Matthew Jennings, deputy chief information security officer at Huntington, said the company was still investigating how the misconfiguration occurred, how long it lasted, and how many records may have been exposed. KrebsOnSecurity learned of the leaks from security researcher Charan Akiri, who said he wrote a program that identified hundreds of other organizations running misconfigured Salesforce pages. But Akiri said he's been wary of probing too far, and has had difficulty getting responses from most of the organizations he has notified to date. "In January and February 2023, I contacted government organizations and several companies, but I did not receive any response from these organizations," Akiri said. "To address the issue further, I reached out to several CISOs on LinkedIn and Twitter. As a result, five companies eventually fixed the problem. Unfortunately, I did not receive any responses from government organizations." The problem Akiri has been trying to raise awareness about came to the fore in August 2021, when security researcher Aaron Costello published a blog post explaining how misconfigurations in Salesforce Community sites could be exploited to reveal sensitive data (Costello subsequently published a follow-up post detailing how to lock down Salesforce Community sites). On Monday, KrebsOnSecurity used Akiri's findings to notify Washington D.C. city administrators that at least five different public DC Health websites were leaking sensitive information. One DC Health Salesforce Community website designed for health professionals seeking to renew licenses with the city leaked documents that included the applicant's full name, address, Social Security number, date of birth, license number and expiration, and more. Akiri said he notified the Washington D.C. government in February about his findings, but received no response. Reached by KrebsOnSecurity, interim Chief Information Security Officer Mike Rupert initially said the District had hired a third party to investigate, and that the third party confirmed the District's IT systems were not vulnerable to data loss from the reported Salesforce configuration issue. But after being presented with a document including the Social Security number of a health professional in D.C. that was downloaded in real-time from the DC Health public Salesforce website, Rupert acknowledged his team had overlooked some configuration settings. Washington, D.C. health administrators are still smarting from a data breach earlier this year at the health insurance exchange DC Health Link, which exposed personal information for more than 56,000 users, including many members of Congress. That data later wound up for sale on a top cybercrime forum. The Associated Press reports that the DC Health Link breach was likewise the result of human error, and said an investigation revealed the cause was a DC Health Link server that was "misconfigured to allow access to the reports on the server without proper authentication." Salesforce says the data exposures are not the result of a vulnerability inherent to the Salesforce platform, but they can occur when customers' access control permissions are misconfigured. "As previously communicated to all Experience Site and Sites customers, we recommend utilizing the Guest User Access Report Package to assist in reviewing access control permissions for unauthenticated users," reads a Salesforce advisory from Sept. 2022. "Additionally, we suggest reviewing the following Help article, Best Practices and Considerations When Configuring the Guest User Profile ." In a written statement, Salesforce said it is actively focused on data security for organizations with guest users, and that it continues to release "robust tools and guidance for our customers," including: Guest User Access Report Control Which Users Experience Cloud Site Users Can See Best Practices and Considerations When Configuring the Guest User Profile "We've also continued to update our Guest User security policies, beginning with our Spring '21 release with more to come in Summer '23," the statement reads. "Lastly, we continue to proactively communicate with customers to help them understand the capabilities available to them, and how they can best secure their instance of Salesforce to meet their security, contractual, and regulatory obligations." This entry was posted on Thursday 27th of April 2023 10:09 PM A Little Sunshine Latest Warnings The Coming Storm Time to Patch Charan Akiri DC Health DC Health Link Huntington Bank Matthew Jennings Mike Rupert Salesforce Community websites Scott Carbee TCF Bank Vermont Post navigation - 3CX Breach Was a Double Supply Chain Compromise 21 thoughts on "Many Public Salesforce Sites are Leaking Private Data " 1. NW April 27, 2023 Sounds like Salesforce has the same security strategy as AWS. Market their products claiming that they'll handle (and be responsible for) security issues that don't result from user misconfiguration, then define "configuration" such that it covers basically the entire attack surface and make correct configuration so unlikely when performed by mere mortals that only an idiot would ever bother to hit the parts the company is legally responsible for. What a business model. Reply - 1. Herald April 28, 2023 I don't know how familiair you are with Salesforce but wouldn't you consider it misconfiguration if someone grants access to objects to the Guest User profile? Reply - 2. Vijay April 28, 2023 Salesforce admins needs to stop the sharing of unwanted data to guest users. I am sure that they have clear security model and not admins or developer who have well trained on that. Reply - 3. Michael Lambert April 28, 2023 Salesforce aura objects misconfigs, not surprising. And the incompetency of these government and private organizations to address and rectify these misconfigurations isn't alarming either. Reply - 4. Craig Lewis April 28, 2023 Ten years ago, I worked for a healthcare company managing Medicaid accounts and it uploaded sensitive client data to a state reporting system. The data was uploaded to the front facing website instead of the secure site. Withing 5 minutes there were hits from China and Eastern European countries. I can guarantee that any information on Sales Force Community sites open by guest access has already been gleaned by the China and Korea. They are monitoring all of our systems. Reply - 5. Dennis April 28, 2023 :Facepalm: is all I can say. PS. Also why would a database need a guest access? Reply - 1. Douglas Merrett April 28, 2023 Guest access is for public knowledgebases or the ability to request a quote without having to authenticate. Reply - 2. Doug Merrett April 28, 2023 I run my own Salesforce Security consultancy. At the same time I was drafting a blog about Salesforce Community Security issues, this article was published. My blog covers authenticated access and has a solution to the issue as well. Please have a look at https://www.platinum7.com.au/ salesforce-communities-security-issue Reply - 6. BF April 28, 2023 This is very interesting considering that the RSA Conference is in San Francisco this week. Reply - 7. Christopher Quinn April 28, 2023 I didn't see any security related marketing content on this salesforce.com landing page that I clicked on after typing "Salesforce" in Google and clicking on the first sponsored result. https://www.salesforce.com/form/demo/salesforce-products/ However, I have not visited their home page. Reply - 8. Robert.Walter April 28, 2023 interim Chief Information Security Officer Mike Rupert. On the basis of this report, perhaps this guy should only be interim interim CISO and briefly? Somebody should file a FOIA request to see if the 3rd party report exists and if so, whether it caught the vulnerability and recommended mitigations, or whether the 3rd party is ineffective. Something seems fishy here. Reply - 9. Tom April 28, 2023 So the si didn't configure the data model correctly and then an untrained admin got loose. Reply - 10. LHW April 28, 2023 "Carbee said the vulnerable sites were all created rapidly in response to the Coronavirus pandemic, and were not subjected to their normal security review process." I was a security analyst for a large municipal health department when novel coronavirus reached the U.S. I was already frustrated before that by cases of established IT security procedures being bypassed in the name of questionable operational expediency, so toward the end of 2019 I started documenting these to review with management later. Come February 2020, I had to throw this notion out the window. Emergency became the new normal very rapidly, and if a stakeholder could link the word "CoViD" to their project by any tortured twist of logic, then no questions could be asked. I don't work there now. I can only hope that three years later the situation has stabilized enough that my old IT department has been able to return to more deliberate and comprehensive practices. In any case, the techs and managers implicated in this report have my sympathy, and I hope they've also been able to regain their sanity. I also hope they are grateful to the researchers that help them find the issues they've missed, more than annoyed. Reply - 11. Mike April 28, 2023 I just email DC's Department of Health to ask them to confirm that their vulnerability has been fixed.... Very not good given the fees for being licensed in DC... Reply - 1. NNM April 28, 2023 Maybe getting fixed? DC's licensing Salesforce site now shows: "Sorry, We are down for Scheduled maintenance" Reply - 1. AnotherGreaybeard April 28, 2023 Hmmm, yeah, "scheduled". Uh-huh, yeah. Reply - 12. Wannabe techguy April 28, 2023 No worries. I'm sure ChatGPT will solve it all! Could all this leaking be on purpose or are these "experts" really this dumb? While I follow security issues the best I can, I thought I wasn't smart enough to be a "pro". Maybe I'm not as dumb as I thought. Reply - 13. Techie April 28, 2023 https://www.varonis.com/blog/ salesforce-misconfiguration-causes-sensitive-data-leaks Reply - 14. AnotherGreaybeard April 28, 2023 Well, the DC one looks to be a no-brainer. After all, the site snapshot there says it is copyrighted in the year "203". Who thought about cybersecurity back then, when the major issue of the day was your lost goat in the forest? Reply - 15. RC April 28, 2023 Salesforce has consistently recommended to admins that these sorts of holes are plugged. Their security audit tool calls this out as a high-priority, critical issue. The biggest problems (not in any particular order) are: 1. Packages made by ISV partners that leave these holes open for "some purpose" that if an admin tries to close them, it breaks the necessary access. 2. Admins who just don't know any better (this is getting more and more common, as the focus is that admins pass the exam rather than gain the requisite knowledge before getting their first admin gig). 3. Specialization in Experience Cloud (this is NOT called Communities anymore, and hasn't been for two years) is often the role of a consultant, so admins who are building them are often not aware of the issues involved. How do we fix these issues? As they have different causes, we have to approach them individually. I say shame on these ISV's who create the problems that admins can't fix. And we really need to rethink the attitude of "everyone can be an admin" and "passing the test is all that matters." We do ourselves and the public a disservice when people don't know how to address these things. Reply - 16. Jem April 28, 2023 The whole concept is horrendously risky. 1 - build a central business platform for your core business. 2 - create a public website for your customers to interact directly with that core platform. 3 - hope that no admin, consultant or over permissions person in marketing ops makes no mistake. 4 - hope no app developer makes a mistake ... Why not segment public and private platforms and neatly integrate them securely. Reply - Leave a Reply Cancel reply Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] Comment * [ ] Name * [ ] Email * [ ] Website [ ] [Post Comment] [ ] [ ] [ ] [ ] [ ] [ ] [ ] D[ ] Advertisement [6] Advertisement Mailing List Subscribe here Search KrebsOnSecurity Search for: [ ] [Search] Recent Posts * Many Public Salesforce Sites are Leaking Private Data * 3CX Breach Was a Double Supply Chain Compromise * Giving a Face to the Malware Proxy Service 'Faceless' * Why is 'Juice Jacking' Suddenly Back in the News? * Microsoft (& Apple) Patch Tuesday, April 2023 Edition Spam Nation Spam Nation A New York Times Bestseller! Thinking of a Cybersecurity Career? Thinking of a Cybersecurity Career? Read this. All About Skimmers All About Skimmers Click image for my skimmer series. Story Categories * A Little Sunshine * All About Skimmers * Ashley Madison breach * Breadcrumbs * Data Breaches * DDoS-for-Hire * Employment Fraud * How to Break Into Security * Latest Warnings * Ne'er-Do-Well News * Other * Pharma Wars * Ransomware * Russia's War on Ukraine * Security Tools * SIM Swapping * Spam Nation * Target: Small Businesses * Tax Refund Fraud * The Coming Storm * Time to Patch * Web Fraud 2.0 The Value of a Hacked PC valuehackedpc Badguy uses for your PC Badguy Uses for Your Email Badguy Uses for Your Email Your email account may be worth far more than you imagine. Donate to Krebs On Security Most Popular Posts * Sextortion Scam Uses Recipient's Hacked Passwords (1076) * Online Cheating Site AshleyMadison Hacked (798) * Sources: Target Investigating Data Breach (620) * Trump Fires Security Chief Christopher Krebs (534) * Why Paper Receipts are Money at the Drive-Thru (530) * Cards Stolen in Target Breach Flood Underground Markets (445) * Reports: Liberty Reserve Founder Arrested, Site Shuttered (416) * Was the Ashley Madison Database Leaked? (376) * DDoS-Guard To Forfeit Internet Space Occupied by Parler (374) * True Goodbye: 'Using TrueCrypt Is Not Secure' (363) Why So Many Top Hackers Hail from Russia [computered-580x389] Category: Web Fraud 2.0 Criminnovations Innovations from the Underground [shreddedID-copy-285x189] ID Protection Services Examined Is Antivirus Dead? Is Antivirus Dead? The reasons for its decline The Growing Tax Fraud Menace The Growing Tax Fraud Menace File 'em Before the Bad Guys Can Inside a Carding Shop Inside a Carding Shop A crash course in carding. Beware Social Security Fraud Beware Social Security Fraud Sign up, or Be Signed Up! How Was Your Card Stolen? How Was Your Card Stolen? Finding out is not so easy. Krebs's 3 Rules... Krebs's 3 Rules... ...For Online Safety. (c) Krebs on Security - Mastodon