Security researcher details exploitation of common misconfigurations in Salesforce Lightning
A security researcher published a blog outlining the details of common misconfigurations in Salesforce that can result in guest users, or hackers leveraging guest user access, gaining access to sensitive data in Salesforce.
Researcher Aaron Costello noted in his blog, "The purpose of this tutorial is to share my knowledge of exploiting common misconfigurations found in the popular CRM, Salesforce Lightning. As of current there is no public documentation on the attacker perspective. This article is not yet conclusive on the topic, a small number of specific vectors of attack are not discussed (eg: blind SOQL injection) nor are all default controller methods that can be taken advantage of as an attacker. It will hopefully, however, provide sufficient knowledge to begin exploiting these pitfalls."