A recent post by Brian Krebs has identified significant Salesforce misconfigurations that have resulted in exposing numerous Salesforce customers’ sensitive data across a number of Salesforce Community websites. Organizations affected include the State of Vermont and Huntington Bank’s recently acquired TCF Bank, among others.
Data exposed include personally identifiable information (PII) such as Social Security numbers, names, and addresses. In response to the risks identified, Salesforce stated that they are “not inherent to the Salesforce platform, but they can occur when customers’ access control permissions are misconfigured.” Krebs noted that previous Salesforce misconfigurations have been identified by AppOmni’s Principal SaaS Security Engineer, Aaron Costello.
The misconfigurations identified by Krebs are common and are not unique Salesforce instances, but rather they represent a ubiquitous security risk across the SaaS estate. One of the main ways SaaS instances are compromised is due to misconfigured identity and access permissions. In these scenarios, guest accounts are over-permissioned or multi-factor authentication (MFA) is not enforced. SaaS platforms have also evolved to the point where the complexity of administration introduces toxic combinations of application misconfiguration on top of over-permissioning. This can easily result in mistakenly exposing sensitive data beyond the scope of just “communities.”
These data leaks increase the attack surface for virtually every organization using SaaS today, and it makes them especially vulnerable to being targeted by threat actors. In these situations, hackers may use this information to execute downstream attacks that include:
- Account takeovers
- Fraudulent transactions
- Enumeration of personnel
- Compromise of connected systems and applications
Only by continuously monitoring the SaaS estate with a SaaS Security Posture Management (SSPM) solution like AppOmni can these misconfiguration risks be identified and remediated before a security incident occurs.