Silent Threats Lurk in Your Salesforce Community
Improperly disabled and ignored Salesforce Site And Community (aka Experience Cloud) can pose a significant risk to organizations, leading to unauthorized access to sensitive data.
Data security company Varonis dubs the abandoned, unprotected and unmonitored resource “ghost site.”
“However, when these Communities are no longer needed, they are often sidelined but not disabled,” researcher Varonis Threat Labs said in a new report shared with The Hacker News.
“Because these unused sites are not maintained, they are not tested for vulnerabilities, and the Admin failed to update the site’s security measures according to newer guidelines.”
Varonis said he found many of these decommissioned (but still active) sites were still fetching new data, allowing threat actors to extract data by manipulating host header in the HTTP request.
Identifying the full internal URL associated with a site is challenging but not impossible, as adversaries can take advantage of tools such as SecurityTrails that track changes to DNS records.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!
Compounding the risk is the fact that outdated sites lack the latest security protections, making them ideal targets for threat actors looking to siphon sensitive information.
“The data exposed was not limited to old data while the site was in use; it also included new records shared with guest users, due to the configuration of sharing in their Salesforce environment,” the researchers said.
To mitigate threats associated with ghost sites, it is recommended that organizations track all Salesforce sites and their respective user permissions. It is also recommended that you deactivate sites that are no longer properly used.
