"Salesforce Communities Could Expose Business-Sensitive Information"

Researchers at Varonis have found that numerous publicly accessible Salesforce communities are misconfigured and could expose sensitive information.  A Salesforce Community site lets customers and partners interface with a Salesforce instance from outside an organization. According to the researchers, anonymous users can “query objects that contain sensitive information such as customer lists, support cases, and employee email addresses.” The researchers stated that malicious actors could exploit this misconfiguration to perform recon for a spear-phishing campaign.  Some adversaries could also use the misconfigurations to steal sensitive information about the business, its operations, clients, and partners.  The researchers stated that in some cases, a sophisticated attacker might be able to move laterally and retrieve information from other services that are integrated with the Salesforce account.  The researchers stated that Salesforce admins can take the following steps to protect themselves from attackers: ensure guest profile permissions don’t expose things that shouldn’t be exposed, disable API access for guest profiles, set the default owner for records created by guest users, and enable secure guest user access.

Infosecurity reports: "Salesforce Communities Could Expose Business-Sensitive Information"