June 1, 2023

Varonis Threat Labs highlighted the potential risks posed by incorrectly deactivated and abandoned Salesforce Sites and Communities, also known as Experience Cloud. These unmonitored and abandoned resources, known as “ghost sites,” may result in illegal access to critical data, putting businesses at danger.

When these Communities are no longer required, according to Varonis, they are frequently laid aside without being properly deactivated. As a result, many idle sites go unmaintained and untested for vulnerabilities. Furthermore, administrators neglect to update the security measures on the sites to conform to updated recommendations.

Varonis also observed that many of these deactivated sites continue to receive fresh data, allowing threat actors to harvest information by modifying the host header in the HTTP request. While determining the full internal URLs linked with these sites is difficult, it is not impossible. Adversaries can use programs like SecurityTrails, which monitor DNS record changes, to find these sites.

The exposed data comprises both new records that were shared with guest users as a result of their Salesforce environment’s sharing settings and old information from when the site was online.

The sources for this piece include an article in TheHackerNews.