May 2, 2023

Banks and health care providers are among the institutions exposing private and sensitive information from their public Salesforce Community websites, according to KrebsOnSecurity.

Unauthenticated individuals were allegedly able to view records that should have been available only after signing in due to a misconfiguration in Salesforce Community. Salesforce administrators may erroneously offer guest users access to internal resources, allowing unauthorized individuals to access an organization’s secret information and potentially lead to data leaks.

The disclosures were discovered by security researcher Charan Akiri, who claimed to have written a tool that detected hundreds of additional firms operating misconfigured Salesforce sites. The data exposes, according to Salesforce, are not the consequence of a vulnerability in the Salesforce platform but can occur when customers’ access control permissions are incorrectly.

Vermont was a victim because it had at least five separate Salesforce Community sites that allowed guests to access sensitive data, including a Pandemic Unemployment Assistance program that exposed the applicant’s full name, Social Security number, address, phone number, email address, and bank account number.

Vermont’s Chief Information Security Officer, Scott Carbee, stated that his security teams have been doing a thorough investigation of their Salesforce Community sites, and that they have already discovered one more Salesforce site maintained by the state that was likewise misconfigured to give visitor access to critical information.

The sources for this piece include an article in KrebsOnSecurity.