Warning: Salesforce Ghost Sites Exposing Sensitive Information
Varonis has discovered a number of websites known as “Salesforce ghost sites” that were mistakenly deleted. It has been shown that some websites unintentionally make private information about users and confidential company information available. the company issued the following warning,
The exposed data is not restricted to only old data from when the site was in use; it also includes new records that were shared with the guest user due to the sharing configuration in their Salesforce environment.
Salesforce ghost sites refer to abandoned Salesforce Communities that remain accessible but are no longer actively monitored or protected. These sites are established by companies to facilitate information sharing and user collaboration. They are typically hosted on domains like ‘partners.acme.org.00d400.live.siteforce.com’, but their accessibility can be simplified using shorter URLs like ‘partners.acme.org’ through DNS record configuration.
Our Readers ALSO READThe Dangers of Public Salesforce Sites
As per Varonis, ghost sites arise when a company substitutes a Salesforce site with another website hosted on its AWS environment, for example. While the ‘partners.acme.org’ domain is directed towards the new site, the custom Salesforce domain remains active and operational. The company explained as following,
VaronisThreat Labs researchers discovered that many companies stop at just modifying DNS records. They do not remove the custom domain in Salesforce, nor do they deactivate the site. Instead, the site continues to exist, pulling data and becoming a ghost site.
Based on indexed and archived DNS information, programs like SecurityTrails can be used to find ghost sites.
These neglected websites may have unpatched security flaws, making them more susceptible to assaults. Vironis recommended the following ways,
To solve the problem of ghost sites — and to mitigate other threats — sites that are no longer in use should be deactivated. It’s important to keep track of all Salesforce sites and their respective users’ permissions — including both community and guest users.