www.csoonline.com
Open in
urlscan Pro
151.101.2.165
Public Scan
URL:
https://www.csoonline.com/article/3697657/inactive-unmaintained-salesforce-sites-vulnerable-to-threat-actors.html
Submission: On June 01 via api from TR — Scanned from DE
Submission: On June 01 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Close Ad cso online GERMANY * United States * ASEAN * Australia * India * United Kingdom * Germany × search More from the Foundry Network * About Us | * Contact | * Republication Permissions | * Privacy Policy | * Cookie Policy | * European Privacy Settings | * Member Preferences | * Advertising | * Foundry Careers | * Ad Choices | * E-commerce Links | * California: Do Not Sell My Personal Info | * Follow Us * * * × Close * Inactive accounts pose significant account takeover security risks * RELATED STORIES * 7 deadly sins of Salesforce security * SPONSORED BY Advertiser Name Here Sponsored item title goes here as designed * Veza releases access security, governance solution for SaaS applications * The hidden security risks in tech layoffs and how to mitigate them * Home * Security * Data and Information Security News INACTIVE, UNMAINTAINED SALESFORCE SITES VULNERABLE TO THREAT ACTORS RESEARCH HIGHLIGHTS THE RISKS POSED BY INACTIVE SALESFORCE SITES THAT CONTINUE TO PULL SENSITIVE BUSINESS DATA AND CAN BE EASILY EXPLOITED BY MALICIOUS ACTORS. * * * * * * * By Michael Hill UK Editor, CSO | 31 May 2023 13:00 Improperly deactivated and unmaintained Salesforce sites are vulnerable to threat actors who can gain access to sensitive business data and personally identifiable information (PII) by simply changing the host header. That’s according to new research from Varonis Threat Labs, which explores the threats posed by Salesforce “ghost sites” that are no longer needed, set aside, but not deactivated. These sites are typically not maintained or tested against vulnerabilities, while admins fail to update security measures according to newer guidelines. However, they can still pull fresh data and are easily exploitable by malicious actors, the researchers said. The research follows a recent report from Okta, which warned that inactive and non-maintained accounts pose significant account takeover security risks with cybercriminals adept at using information stolen from forgotten or otherwise non-upheld accounts to exploit active accounts. Meanwhile, Google announced that it is updating its inactivity policy for Google Accounts to two years on security grounds, meaning that if a personal account has not been used or signed into for at least two years, it may delete the account and its contents. Google stated that abandoned accounts are at least ten-times less likely than active accounts to have multifactor authentication set up and typically rely on password reuse, making them particularly vulnerable to compromise. WHAT ARE SALESFORCE GHOST SITES? Salesforce ghost sites are typically created when companies use custom domain names instead of unappealing internal URLs so partners can browse them, Varonis Threat Labs wrote. “This is accomplished by configuring the DNS record so that “partners.acme.org” [for example] points to the lovely, curated Salesforce Community Site at “partners.acme.org. 00d400.live.siteforce.com.” With the DNS record changed, partners visiting “partners.acme.org” will be able to browse Acme’s Salesforce site. The trouble begins when Acme decides to choose a new Community Site vendor, the researchers said. Like any other technology, companies might replace a Salesforce Experience Site with an alternative. “Subsequently, Acme modifies the DNS record of “partners.acme.org” to point toward a new site that might run in their AWS environment,” Varonis Threat Labs added. From the users’ viewpoint, the Salesforce Site is gone, and a new Community page is available. The new page might be completely disconnected from Salesforce, not running in the environment, and no obvious integrations are detectable. However, the researchers discovered that many companies stop at just modifying DNS records. “They do not remove the custom domain in Salesforce, nor do they deactivate the site. Instead, the site continues to exist, pulling data and becoming a ghost site.” ATTACKERS CAN EXPLOIT SALESFORCE GHOST SITES BY CHANGING THE HOST HEADER As a ghost site remains active in Salesforce, the siteforce domain still resolves, meaning it’s available under the right circumstances, the researchers said. “A straightforward GET request results in an error — but there is another way to gain access. Attackers can exploit these sites by simply changing the host header.” This tricks Salesforce into believing that the site was accessed correctly, and Salesforce would serve the site to the attacker, they added. Although these sites are also accessible using the full internal URLs, these URLs are difficult for an external attacker to identify, the researchers pointed out. “However, using tools that index and archive DNS records — such as SecurityTrails and other similar tools — makes identifying ghost sites much easier.” Adding to the risk is the fact that old, obsolete sites are less maintained and therefore less secure, increasing the ease of an attack. SALESFORCE GHOST SITES FOUND TO HOST SENSITIVE BUSINESS DATA, PII The Varonis researchers said they found many inactive sites with confidential data, including sensitive business data and PII, that was not otherwise accessible. “The exposed data is not restricted to only old data from when the site was in use; it also includes new records that were shared with the guest user, due to the sharing configuration in their Salesforce environment.” Sites that are no longer in use should be deactivated, the researchers advised, along with highlighting the importance of tracking all Salesforce sites and their respective users’ permissions — including both community and guest users. Varonis Threat Labs has also created a guide for protecting active Salesforce Communities against recon and data theft. Next read this * The 10 most powerful cybersecurity companies * 7 hot cybersecurity trends (and 2 going cold) * The Apache Log4j vulnerabilities: A timeline * Using the NIST Cybersecurity Framework to address organizational risk * 11 penetration testing tools the pros use Related: * Data and Information Security * Vulnerabilities Michael Hill is the UK editor of CSO Online. He has spent the past five-plus years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. Follow * * * Copyright © 2023 IDG Communications, Inc. 7 hot cybersecurity trends (and 2 going cold) CSO Online CSO provides news, analysis and research on security and risk management Follow us * * * * About Us * Contact * Republication Permissions * Privacy Policy * Cookie Policy * European Privacy Settings * Member Preferences * Advertising * Foundry Careers * Ad Choices * E-commerce Links * California: Do Not Sell My Personal Info Copyright © 2023 IDG Communications, Inc. Explore the Foundry Network descend * CIO * Computerworld * CSO Online * InfoWorld * Network World CSO WANTS TO SHOW YOU NOTIFICATIONS -------------------------------------------------------------------------------- YOU CAN TURN OFF NOTIFICATIONS AT ANY TIME FROM YOUR BROWSER Accept Do not accept POWERED BY SUBSCRIBERS