A recent penetration test conducted on Salesforce Communities revealed critical vulnerabilities that could allow attackers to take over user accounts.
The security assessment, performed on multiple Salesforce instances, uncovered several issues related to misconfigured objects and broken access controls.
The investigation found that many standard and custom Salesforce objects were improperly configured, allowing unauthorized access to sensitive data.
By exploiting these misconfigurations, the researcher was able to retrieve:-
- Customer PII from Contact objects
- Account information including names, emails, and IDs
- Personal notes from Note objects
- Exposed files from Document, ContentDocument, and ContentVersion objects
- Calendar events and other sensitive data from various objects
0xbro researchers observed that this level of access could provide attackers with a wealth of information for further exploitation or social engineering attacks.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Technical Analysis
The researcher discovered that certain object IDs could be used to directly download files that were meant to be restricted.
By using specific API endpoints, attachments from Document, ContentDocument, and ContentVersion objects were accessible. This allowed the retrieval of deployment configurations, private screenshots, sales tables, and other sensitive files.
The most severe finding was a broken access control issue in a custom Apex controller named CA_ChangePasswordSettingController.
This controller exposed a resetPassword method that only required two parameters:-
- userID
- newPassword
Alarmingly, this method did not require the user’s current password or any form of authentication token. An attacker with knowledge of a user’s ID could potentially reset any account’s password, leading to full account takeover.
The researcher was able to demonstrate the severity of this vulnerability by:-
- Extracting user IDs from the exposed User object
- Crafting a request to the vulnerable resetPassword method
- Successfully changing a test user’s password without proper authentication
This vulnerability essentially bypassed all intended security measures for password resets, putting every user account at risk of unauthorized access.
Here below we have mentioned all the recommendations:-
- Conduct a thorough review of object and field-level security settings
- Implement proper authentication checks for all password reset functionalities
- Restrict access to sensitive API endpoints and file download routes
- Regularly audit custom Apex controllers for security issues
- Implement strong input validation and access controls on all custom methods
This incident highlights the importance of rigorous security testing for Salesforce implementations, especially when dealing with custom development and complex permission models.
Organizations using Salesforce should prioritize regular security assessments to identify and mitigate such vulnerabilities before they can be exploited by malicious actors.
Analyse Advanced Malware & Phishing Analysis With ANY.RUN Black Friday Deals : Get up to 3 Free Licenses.