May 01, 2023 11:02:00

Security researchers point out that personal information may be leaked due to Salesforce software configuration mistakes

by

Alpha Photo

It has been pointed out that personal information such as customer addresses and names may have been leaked from the server running the software ' Salesforce Community ' provided by Salesforce , a major cloud-based customer relationship management (CRM) solution service. .

Many Public Salesforce Sites are Leaking Private Data – Krebs on Security
https://krebsonsecurity.com/2023/04/many-public-salesforce-sites-are-leaking-private-data/

Sensitive data is being leaked from servers running Salesforce software | Ars Technica

https://arstechnica.com/information-technology/2023/04/misconfigured-servers-running-salesforce-software-are-leaking-sensitive-data/

The information leak pointed out this time is the cloud-based software product 'Salesforce Community' provided by Salesforce. Salesforce Communities allow community administrators to view public information to unauthenticated users using the guest access feature.

However, in Salesforce Communities, community administrators can inadvertently grant guest users access to internal resources, resulting in unauthorized users accessing the organization's confidential and personal information, which can lead to data breaches. It has been pointed out that it may cause

``At least five sites operated by the state of Vermont in the United States use the Salesforce community, allowing anyone to access sensitive data,'' said security researcher Brian Krebs. 'Due to Vermont's coronavirus outbreak, unemployment assistance programs also have access to sensitive data, including applicant names, social security numbers, addresses, phone numbers, email addresses, and bank account numbers,' Krebs said. is out of control,” he said.

And

Huntington BankShares , an Ohio-based bank holding company, acquired TCF Financial , which has implemented Salesforce Community to process commercial loans. Social Security numbers, addresses, job titles, federal IDs, IP addresses, average monthly salaries, and loan amounts were visible to everyone.

When Krebs reached out to Vermont and Huntington Bankshares for comment, both became aware of the breach and immediately removed public access to the sensitive information.

'We already provide customers with clear and robust

tool guidance on configuring Salesforce Communities to specify what data can be accessed by unauthenticated guest users,' Salesforce told Krebs. I will.”

On the other hand, Scott Kirby, Vermont's chief information security officer, told Krebs, ``I feel a sense of crisis about the loose posture of the Salesforce community.'' ``We didn't have a native Salesforce developer among us, but due to the epidemic of the new coronavirus, we needed to launch the site immediately without prior verification,'' he said.

by ajay_suresh

``We are investigating the background, duration, and scale of the breach in the Salesforce community,'' said Matthew Jennings, deputy chief information security officer at Huntington Bankshares.

Security researcher Charan Akiri, who identified hundreds of organizations exposed to data breaches due to misconfigurations in the Salesforce community, said: We notified them of the possibility of information leaks due to misconfigurations, but we received no response from these organizations.' ``Of the multiple companies and government agencies that were notified, only five companies actually solved the problem,'' he said.

'We will continue to actively communicate with our customers to ensure that the features available to them and their instances of Salesforce are optimally protected to meet their security, contractual, legal and regulatory obligations,' Salesforce said in a statement. We will work to spread awareness of how to do this.”