[German]Varonis security researchers have discovered a problem associated with Salesforce sites that are orphaned and no longer in use. Varonis Threat Labs security researchers have discovered that improperly disabled Salesforce sites, known as ghost sites, continue to retrieve current data and are accessible to attackers: By manipulating the host header, cybercriminals can gain access to sensitive personal data and business information.
Advertising
Salesforce Sites allow companies to create custom communities that allow partners and customers to collaborate within a company's Salesforce environment. By their very nature, this involves sharing confidential and sensitive data. However, when these communities are no longer needed, they are often not properly disabled. This opens an attack path for attackers, especially since these unused sites are generally not monitored and tested for vulnerabilities.
How Salesforce Ghost Sites are left over
Typically, when using Salesforce, companies create custom domains such as "partners.acme.org," which points to the corresponding community site ("partners.acme.org/00d400.live.siteforce.com"). If the company now moves to another provider, it will generally want to continue using the user-friendly "partners.acme.org" domain, which now links to the site hosted by the new provider.
Unfortunately, many companies limit this to changing DNS records and do not remove the custom domain in Salesforce, nor do they disable the site. Thus, the Salesforce site continues to exist with all the potentially sensitive communications, business records, and other business and personal information it contains, and may continue to be updated.
Access to sensitive data by cybercriminals
To get at the data, attackers need to know the exact internal domain associated with a company's still-existing Salesforce site. Using tools that index and archive DNS records (such as SecurityTrails) makes it easier to identify ghost sites.
These sites are still active in Salesforce and thus accessible under the right circumstances. Although a simple GET request results in an error, attackers can modify the host header: This fools Salesforce into thinking the site was accessed as partners.acme.org/. Salesforce thus redirects the attackers to the ghost site.
Advertising
In their investigation, the security researchers identified numerous abandoned sites with confidential information including personal data and sensitive business data that would otherwise be inaccessible. The exposed data is not limited to old data from when the site was in use, but also includes new records shared with the guest user based on the sharing configuration in the Salesforce environment.
How to prevent ghost sites
To solve the problem of ghost sites, sites that are no longer in use should always be disabled. It's also important to keep track of all Salesforce sites and the permissions of each user – including community and guest users. Varonis Threat Labs has created a guide to protecting active Salesforce communities from spying and data theft, which is available here.
