Salesforce Communities Misconfig Puts Clients, Partners at Risk

A misconfiguration in a Salesforce community discovered by Varonis researchers could expose data to anyone on the internet.

“Anonymous users can query objects that contain sensitive information such as customer lists, support cases and employee email addresses,” according to a Varonis blog post.

In some cases, a sophisticated attacker may be able to move laterally and retrieve information from other services that are integrated with a Salesforce account.

“At a minimum, a malicious actor could exploit this misconfiguration to perform recon for a spear-phishing campaign,” the researchers wrote. “At worst, they could steal sensitive information about the business, its operations, clients, and partners.”

This isn’t the first time the researchers have run across misconfigurations in a Salesforce community and they expect SaaS (mis)configurations will continue to pose threats.

A Salesforce community is a public-facing site where an organization’s customers and partners can interface with its Salesforce instance from outside the organization, opening support tickets, asking questions and managing their subscriptions, among other activities.

That it is indexed by Google makes it “useful for customers and partners,” said Varonis, but it also “makes it easy for attackers to discover public communities.”

Most troubling, though, is that “Salesforce security is often overlooked by enterprise IT teams since Salesforce adoption often grows organically,” said Michael Isbitski, technical evangelist at Salt Security. “IT and security teams may be unaware of Salesforce use within the organization as business teams procure licenses ad hoc.”

The common perception is that Salesforce “is used primarily for sales force automation and customer relationship management.” But that notion is ill-conceived since the platform’s capabilities “are much more expansive, including services like Salesforce Communities,” said Isbitski.

Over the years, Salesforce has acquired a number of companies “to flesh out their portfolio of offerings,” which also includes “what the company has built itself,” he said.

As a result, “the capabilities don’t all use a unified technology stack, which results in additional misconfiguration and operational complexity” further complicated by the fact that “Salesforce can also be used as a custom application development platform with Salesforce Lightning or Heroku,” said Isbitski. “This greatly expands the attack surface for organizations, and the risk of misconfiguration or vulnerable custom code is greatly elevated.”

Isbitski noted that the Varonis findings show “some organizations have neglected to lock down settings accordingly in their Salesforce Communities instances, leaving guest access enabled.”

That means an attacker could “query Salesforce Communities instances via web APIs to obtain data they likely shouldn’t be authorized for,” he said. “If the organization has also expanded their Salesforce instance with other custom Apex code, there is a potential scenario where an attacker could pivot in their attack chain and abuse other services within the vulnerable organization.”

Salesforce has tried “to [disable] some of the relevant settings by default and lock them down to prevent organizations from shooting themselves in the foot,” said Isbitski. “However, some settings are still left up to administrators operating their own instances.”

That makes it imperative for organizations to pay careful attention to better safeguard their assets. “As major SaaS platforms like Salesforce, Workday, ServiceNow and Microsoft 365 evolve and grow in functionality and complexity, businesses should be using automated tools and processes to continuously monitor and manage user permissions and configurations,” noted Brendan O’Connor, CEO and co-founder of AppOmni.

Varonis researchers recommend that Salesforce administrators:

  1. Ensure guest profile permissions don’t expose sensitive data like account records, employee calendars, and the like.
  2. Disable API access for guest profiles.
  3. Set the default owner for records created by guest users.
  4. Enable secure guest user access.


Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson