According to a recent report by cybersecurity expert Brian Krebs, several organizations, including banks and healthcare providers, are leaking sensitive information due to a misconfiguration in Salesforce Communities. Communities, which allows Salesforce users to easily create websites, has two means of entry. Some sites require user login, while others allow guests to view content without any authentication.
The misconfiguration reported on by Krebs gives unauthenticated guest users access to records, some of which contain sensitive information like social security numbers and bank account information. Krebs notes that this is not an isolated incident and that configuration-based security risks are a common problem across many SaaS products on the market today. This post will cover the leak as well as best practices to secure your Salesforce Community.
What is a Salesforce Community?
Salesforce Community Sites are designed to provide a platform for users to engage with one another, share information, and collaborate. The custom-branded sites run on Salesforce’s Lightning framework and are integrated with the Salesforce instance. Guest user access is a feature that allows unauthenticated users to view designated content and resources without requiring a login.
However, Salesforce administrators sometimes erroneously give guest users access to internal resources, which can lead to unauthorized users accessing private information and data leaks. In the Krebs report, security researcher Charan Akiri said he identified hundreds of organizations with misconfigured Salesforce Community sites.
Salesforce states that the data exposures are not the result of vulnerabilities in the Salesforce platform but are due to customers' misconfigured access control permissions. In September 2022, Salesforce issued an advisory in which it recommended that users utilize its Guest User Access Report package to assist in reviewing access control permissions for unauthenticated users. Krebs also cited a written statement from Salesforce, in which the company said it continues to release “robust tools and guidance for our customer.”
User Dissatisfaction with Salesforce Configurations
One of the organizations with multiple misconfigured Salesforce Community sites is a US State. The team had hastily created multiple Community sites in response to the COVID-19 pandemic which were not subject to the State’s normal security review process. The State’s Chief Information Security Officer said his “team is frustrated by the permissive nature of the platform.”
He is not the only one; reading the responses to the Krebs article on the Salesforce subreddit (r/salesforce) is alarming. One Salesforce admin admitted on Reddit that “I accidentally did this at my last company when I was messing around with our Knowledge sites.” Another one acknowledged that this “mistake is easily made.”
Misconfigurations Aren’t Unique to Salesforce
As this leak is not due to a vulnerability in Salesforce's app, it is important to note which configurations can lead to such a leak, and overall how customers can and should continuously control (assess, monitor, and remediate) the app’s configurations.
Additionally, the issue with misconfigurations providing pathways to critical data is not unique to Salesforce. SaaS products have become increasingly complex over time, making it challenging for administrators and security teams to ensure that the correct security and access configurations are in place. Moreover, SaaS providers often introduce new features into their products, which can expose customers to new risks that negatively impact their organization's security posture.
An additional challenge is the gap of knowledge between app owners and security experts, and the complex responsibility assignment matrix for SaaS security.
Steps to Prevent Salesforce Community Leaks
Salesforce admins can take the following steps to prevent their sensitive data from being exposed to guests in Communities:
- Review Guest User Sharing Rules to make sure they do not expose sensitive information.
- Disable Guest Profile API Permissions.
- Disable Guest Users Public Chatter API Access in Communities.
- Set Objects Default External Access to Private.
- Prevent Guest Users File Upload. If you do allow Guest users to create records, make sure to enable the Assign new records created by guest users to the default owner setting.
- Make sure to update Salesforce as soon as a new update comes out (there have been some security updates on this topic in the past couple of years)
Enable Automated Protection with an SSPM
If you are already an Adaptive Shield customer, these configurations have been monitored by our platform for the past couple of years, as Adaptive Shield’s cyber experts have a deep understanding of this Salesforce domain. The following actions can help the security team gain a better understanding of an organization's SaaS attack surface and its security posture.
- Use a SaaS Security Posture Management Platform (SSPM), like Adaptive Shield, to remediate misconfigurations
- Implement continuous monitoring and alerts for a streamlined response in case of a breach
- Use Identity Governance Management tools to make sure you know who your users are and what permissions they have