The Dangers of Public Salesforce Sites: Protecting Your Private Data

Many Organizations including banks and hospitals are shockingly leaking private and sensitive information from their public Salesforce Community websites. This is happening from a misconfiguration from the Salesforce community leading to all kinds of exposure of data stems allowing an unauthenticated user to access records that should only be available after logging in.

Salesforce Community is a cloud-based software tool that is commonly used to develop and launch websites. There are two primary ways in which customers can access a Salesforce Community site: authenticated access, which requires users to log in, and guest user access, which allows users to access specific content and resources without a login.

Unfortunately, it is not uncommon for Salesforce administrators to mistakenly provide guest users with access to internal resources. This can result in unauthorized individuals gaining access to sensitive organizational data and potentially causing data leaks. It is crucial for organizations to be aware of this vulnerability and take appropriate measures to ensure that guest access is properly configured and secure.

The state of Vermont had at least 5 separate Salesforce Community sites that allowed guest access to sensitive data, including a Pandemic Unemployment Assistance program inadvertently allowed guest users to access applicant information, including full names, Social Security numbers, addresses, phone numbers, email addresses, and bank account numbers. These types of data exposures can have serious consequences, including identity theft, financial fraud, and damage to an individual’s privacy.

Moving on, the Chief Information Security Officer Scott Carbee, said his team was conducting a full-scale operation regarding this issue and found one additional Salesforce site operated by the state that was also misconfigured to allow guest access to sensitive information.

“My team is frustrated by the permissive nature of the platform,” Carbee said. According to Carbee, the Salesforce Community sites that were found to be vulnerable were created quickly in response to the COVID-19 pandemic and were not subjected to the usual security review process.

“During the pandemic, we were largely standing up tons of applications, and let’s just say a lot of them didn’t have the full benefit of our dev/ops process,” Carbee said. “In our case, we didn’t have any native Salesforce developers when we had to suddenly stand up all these sites.”

Another case to Look at was the DC Health website designed to assist health professionals with renewing their licenses. Due to a misconfiguration, guest users were able to access documents that contained a wealth of personal information, including the applicant’s full name, address, Social Security number, date of birth, license number and expiration date, and other sensitive details. Charan Akir, A security researcher, notified the Washington D.C. government about his findings but did not receive any response. Interim Chief Information Security Officer Mike Rupert initially stated that a third-party investigation had confirmed that the District’s IT systems were not vulnerable to data loss resulting from the reported Salesforce configuration issue.

However, after being presented with evidence that included the Social Security number of a health professional in D.C. that was downloaded in real-time from the public Salesforce website, Rupert acknowledged that his team had missed some configuration settings. This incident has added to the recent data breach at DC Health Link, which exposed the personal information of more than 56,000 users, including members of Congress, earlier this year.

Salesforce says the data exposures are not the result of a vulnerability inherent to the Salesforce platform, but they can occur when customers’ access control permissions are misconfigured.

“As previously communicated to all Experience Site and Sites customers, we recommend utilizing the Guest User Access Report Package to assist in reviewing access control permissions for unauthenticated users,” reads a Salesforce advisory from Sept. 2022. “Additionally, we suggest reviewing the following Help article, Best Practices and Considerations When Configuring the Guest User Profile.”

ALSO READ

Google plan to take down CryptoBots