In a recent development that has raised alarms within the tech community, a critical security vulnerability has been discovered in Salesforce Communities, widely recognized and utilized for customer relationship management (CRM). This revelation came to light when a penetration test revealed significant flaws in several Salesforce instances, most notably in misconfigured objects and broken access controls. The primary concern stemmed from improper configuration of both standard and custom Salesforce objects, which inadvertently permitted unauthorized access to a vast array of sensitive data. As a result, customer Personally Identifiable Information (PII), account information, personal notes, files, calendar events, and other crucial information were exposed.
The security research firm 0xbro conducted this penetration test, highlighting the ease with which attackers could exploit these vulnerabilities. The research pinpointed that access to sensitive data could be leveraged for further exploitation or social engineering attacks. The technical findings were particularly concerning, as they underscored the potential for downloading restricted files using specific object IDs and API endpoints. Furthermore, private and sensitive files from Document, ContentDocument, and ContentVersion objects were found to be at risk, amplifying the gravity of the issue.
Critical Findings
One of the most alarming discoveries was related to a custom Apex controller named CA_ChangePasswordSettingController. This controller contained a method called resetPassword, which required only the user’s ID and a new password to reset an account’s password. It did not necessitate the current password or any authentication token, thus posing a severe security risk. Attackers could exploit this flaw by simply identifying user IDs, which is often easier than one might expect, and then hijacking the accounts by resetting the passwords. This vulnerability highlighted a critical oversight in ensuring robust security measures in custom controllers and methods. It emphasized the need for enhanced input validation and access controls to prevent such unauthorized actions.
In addition to the glaring issue with the CA_ChangePasswordSettingController, the research unveiled other significant technical shortcomings. Among these were the improper configurations that allowed direct download of restricted files and the inadequate protection of sensitive API endpoints. These endpoints, if compromised, could provide attackers with entry points to siphon off restricted information. The findings stressed the urgency for organizations to meticulously review and secure their object and field-level security settings, ensuring sensitive data remains protected. Organizations were urged to regularly audit their custom Apex controllers and reinforce authentication checks, particularly those involving password resets.
Recommendations to Enhance Security
Organizations using Salesforce Communities should take immediate steps to secure their environments. Key recommendations include:
- Conduct Regular Audits: Regularly audit custom Apex controllers and security configurations.
- Implement Robust Access Controls: Ensure strong access controls are in place for all objects and fields.
- Enhance Input Validation: Improve input validation to prevent unauthorized access.
- Strengthen Authentication: Reinforce authentication mechanisms, especially for sensitive actions like password resets.
- Secure API Endpoints: Protect sensitive API endpoints to prevent exploitation.
By following these recommendations, organizations can better safeguard their sensitive customer data and mitigate the risks highlighted by the recent security vulnerabilities.