A security researcher published a blog outlining the details of common misconfigurations in Salesforce that can result in guest users, or hackers leveraging guest user access, gaining access to sensitive data in Salesforce.

Researcher Aaron Costello noted in his blog, "The purpose of this tutorial is to share my knowledge of exploiting common misconfigurations found in the popular CRM, Salesforce Lightning. As of current there is no public documentation on the attacker perspective. This article is not yet conclusive on the topic, a small number of specific vectors of attack are not discussed (eg: blind SOQL injection) nor are all default controller methods that can be taken advantage of as an attacker. It will hopefully, however, provide sufficient knowledge to begin exploiting these pitfalls."

He added, "There are plenty of resources for code samples within the developer documentation already, and more than enough VDPs/BBPs to satisfy a thirst to begin applying your newfound knowledge immediately. However, I will walk through creating your own developer instance which will both assist in grasping the concepts outlined here and also how it can be used to assist in attacking other Salesforce Lightning instances. This isn’t mandatory for exploitation, but helpful."

Brendan O’Connor, CEO and Co-Founder at San Francisco, Calif.-based AppOmni, says, “Researcher Aaron Costello has detailed a common misconfiguration in Salesforce that can lead to guest users (or hackers leveraging guest user access) to gain access to sensitive data. Salesforce Communities and Sites enable organizations to collaborate with external/guest users and create websites/applications, respectively. With these capabilities driven by the same Salesforce instances that house internal sensitive data, you are just one misconfiguration away from possible data exposure to unauthorized users."

"The danger of data exposure due to misconfiguration is a growing problem as Salesforce, and other SaaS applications, continue to grow in features and complexity. It is not uncommon for audits and risk assessments to routinely find partners, customers, and guest users having access to sensitive data due to complex user and role access topology. If conducted regularly or via automated tooling, some of the exposures can be identified in time before evolving into an incident. In most cases, however, without such tooling, there simply aren't enough practical manual resources and expertise that can be employed to identify such data exposure in time.”

For the full blog, please visit https://www.enumerated.de/index/salesforce#exploitation