Salesforce Applications Vulnerability Let Attackers Takeover The Accounts


A recent penetration test conducted on Salesforce Communities revealed critical vulnerabilities that could allow attackers to take over user accounts.

The security assessment, performed on multiple Salesforce instances, uncovered several issues related to misconfigured objects and broken access controls.

The investigation found that many standard and custom Salesforce objects were improperly configured, allowing unauthorized access to sensitive data.

By exploiting these misconfigurations, the researcher was able to retrieve:-

  • Customer PII from Contact objects
  • Account information including names, emails, and IDs
  • Personal notes from Note objects
  • Exposed files from Document, ContentDocument, and ContentVersion objects
  • Calendar events and other sensitive data from various objects

0xbro researchers observed that this level of access could provide attackers with a wealth of information for further exploitation or social engineering attacks.

Salesforce Overview (Source – 0xbro)

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Technical Analysis

The researcher discovered that certain object IDs could be used to directly download files that were meant to be restricted.

By using specific API endpoints, attachments from Document, ContentDocument, and ContentVersion objects were accessible. This allowed the retrieval of deployment configurations, private screenshots, sales tables, and other sensitive files.

The most severe finding was a broken access control issue in a custom Apex controller named CA_ChangePasswordSettingController.

This controller exposed a resetPassword method that only required two parameters:-

  1. userID
  2. newPassword

Alarmingly, this method did not require the user’s current password or any form of authentication token. An attacker with knowledge of a user’s ID could potentially reset any account’s password, leading to full account takeover.

The researcher was able to demonstrate the severity of this vulnerability by:-

  1. Extracting user IDs from the exposed User object
  2. Crafting a request to the vulnerable resetPassword method
  3. Successfully changing a test user’s password without proper authentication

This vulnerability essentially bypassed all intended security measures for password resets, putting every user account at risk of unauthorized access.

Here below we have mentioned all the recommendations:-

  1. Conduct a thorough review of object and field-level security settings
  2. Implement proper authentication checks for all password reset functionalities
  3. Restrict access to sensitive API endpoints and file download routes
  4. Regularly audit custom Apex controllers for security issues
  5. Implement strong input validation and access controls on all custom methods

This incident highlights the importance of rigorous security testing for Salesforce implementations, especially when dealing with custom development and complex permission models.

Organizations using Salesforce should prioritize regular security assessments to identify and mitigate such vulnerabilities before they can be exploited by malicious actors.

Analyse Advanced Malware & Phishing Analysis With ANY.RUN Black Friday Deals : Get up to 3 Free Licenses.



Source link