Why you might have data leaks in your Salesforce Digital Experiences and how to plug the holes

Managing Salesforce security is quite similar to driving a car. Just like there are blind spots that you have to identify while driving, the same goes for Salesforce. Driving safely requires you to pay attention to those blind spots. Similarly, there could be blind spots in your Salesforce as well, which, if not paid attention to, might cause data leaks that can threaten your sensitive information.

Salesforce communities, or what is now called Salesforce Digital Experiences these days is something any Salesforce user would be aware of. It’s one of those features that is highly appreciated for the ease of bringing the entire Salesforce community of customers and partners together.

But as you’re asking questions and sharing data with your customers and partners, do you believe it is safe? Does your data remain within that community, or are there any unknown holes that may cause your data to leak? Something to think about, right?

 

What Exactly Is the Issue?

 

Many companies store very sensitive information on Salesforce, and I’m sure you realize what that would mean if your sensitive data was leaked to the public internet. But what exactly could cause data to be leaked? The answer is misconfigured Salesforce Community or Digital Experiences.

Research says that a misconfigured Salesforce Community could cause your sensitive data on Salesforce to leak to anyone using the internet. This misconfiguration could allow any anonymous, or even authenticated user to access sensitive details that they normally should not be able to access such as support cases, employee details, and customer lists, or even worse health care or financial information.

Salesforce is a very powerful and customizable platform. Therein lies the problem. It is too easy to accidentally expose data to attackers without even knowing it.

 

“With great power, comes great responsibility”

How are Attackers Exploiting Salesforce Digital Experiences?

A misconfiguration of security in Salesforce Digital Experiences provides attackers with a hole to easily gather sensitive data, which can be inappropriately used for running spear-phishing campaigns at a minimum.

But if you consider the worst-case scenario, this kind of misconfiguration can lead to attackers exploiting weak configuration settings to get access to sensitive business data.

Once an attacker finds a site that they can exploit, they will spend a considerable amount of time gaining forensics about the site. These forensics could be used to perform a multitude of attacks against your Salesforce Digital Experience site, and potentially even gain full access to query, or even update or delete any data in your Salesforce org.

Customers use Salesforce Digital Experiences for business cases such as customer service, subscription management, Covid tracking / healthcare, and loan origination or other financial service handling. Being internet-facing, these sites can be accessed at any time and from any place. Salesforce Digital Experiences are also indexed by Google, making it easy to find, not just by partners and customers, but also by hackers who always keep looking for vulnerable sites.

Salesforce Digital Experiences run on Salesforce Lightning, which is composed of a large number of client-side facing APIs that cannot be disabled. This enables developers to assemble web pages quickly using a drag and drop builder. Most people don’t know that all Lightning Experience pages render every page on load using these client-side APIs. This means that every component, every layout, all the data, and even custom apex code methods are all accessed through these client-side facing APIs.

But…if an unauthenticated user, or even an authenticated user has access to data or to perform actions you normally would not want them to do, they can use these aura APIs to query data, create, update, delete records, or even take advantage of exposed custom apex code to steal sensitive data, or even inject viruses, or other malicious code into Salesforce.

The worst part is there is no way to disable access to these APIs. Even with the “API Enabled” feature disabled, attackers can still access these APIs. This is because this is core to the Lightning Experience in Salesforce. Furthermore, these APIs offer similar capabilities that you get from Salesforce’s Rest or Soap APIs.

These APIs are mostly harmless provided that the user doesn’t have access to operations or data that they normally should not.

What makes the situation more critical is finding vulnerable Salesforce Digital Experience sites for an attack is just a Google search away as there is a specific search in Google you can use that will return pages upon pages of Salesforce Digital Experience sites. An attacker can figure out many avenues to acquire details about such sites and get access through an unauthenticated guest or even as an authenticated user on sites that offer a self-registration option.

Also, if an attacker has more advanced knowledge, he might attack the community's vulnerable custom and third-party components, such as passing parameters to exposed apex methods to take advantage of poorly designed methods that could allow the attacker to retrieve sensitive information or execute malicious operations.

 

To understand this better, Matt Meyers,

a Salesforce CTA and Managing Partner for EzProtect, will demonstrate how an attacker could hack a Salesforce digital experience to steal customer data in a session at Cactusforce.

 

How Is Salesforce Trying to Improve Security for Digital Experiences?

 
 

Salesforce is making several changes to guide users to avoid such critical configuration mistakes in Digital Experiences. Salesforce has already removed the ability for guest users of the Digital Experiences to access excessive information. They have also made some changes to make sure that the critical security settings are secure by default. For example, guest user by default cannot own records, and guest users cannot upload files.

There are a few updates that Salesforce brought with its Winter ‘21 release to secure communities for users. Some of these updates included:

●      Reduce object permissions for guest users: The feature will disable different object permissions for guest users like Edit, Delete, View All Data, and Modify All Data.

●      Enhanced security for managed topic images: Before Winter ‘21, Salesforce Digital Experiences tended to store the managed topic images as documents, which were accessible to all, even if the site was private. But with the update, images began to be stored as private.

●      Disabled setting to let guest users see other members: Earlier, the feature for admins to enable guest users to have visibility of other users revealed their PII information. Later with the update, this setting was turned off by default.    

Salesforce is making several attempts to guide users to avoid such critical configuration mistakes in Digital Experiences.. Salesforce has already removed the ability for guest users of the Digital Experiences to access excessive information. They have also made some changes to make sure that the critical security settings are secure by default. For example, guest user by default cannot own records, and guest users cannot upload files.

There are a few updates that Salesforce brought with its Winter ‘21 release to secure communities for users. Some of these updates included:

●      Reduce object permissions for guest users: The feature will disable different object permissions for guest users like Edit, Delete, View All Data, and Modify All Data.

●      Enhanced security for managed topic images: Before Winter ‘21, Salesforce Digital Experiences tended to store the managed topic images as documents, which were accessible to all, even if the site was private. But with the update, images began to be stored as private.

●      Disabled setting to let guest users see other members: Earlier, the feature for admins to enable guest users to have visibility of other users revealed their PII information. Later with the update, this setting was turned off by default.    

 

What Can You Do To Avoid Attacks On Salesforce Digital Experiences?

 
 

Reading about such attacks might make you feel overwhelmed and worried the next time you access Digital Experiences. But it doesn’t have to be that way. Although it’s quite challenging to make Salesforce completely secure for your data, there are a few steps that you can take to keep your communities guarded.

By now, I hope you understand that the more access you give to anonymous guest users and even authenticated users, the more the chances of such attacks will be. So, the key here is to be constantly reviewing and auditing your user permissions, and especially your guest user permissions.

Let’s take a leap here to get onto some points that could be helpful for you to make your Digital Experiences more secure and prevent attacks by unauthorized users.

1.   Set permissions for the guest user profile

One thing that you might have extracted from this post is that you should provide your guest users with access to a minimum amount of data when interacting through the community. So, in order to keep your Digital Experience secure, you need to modify the permissions for the guest user.. Change your settings related to access, and you can also manage field-level security for controlling user access at a granular level.

2.   Enable secure access to the guest user record

You have to secure the default access setting for guest users. Look for Sharing Settings in the Setup and then find Secure guest user record access. Make sure the setting it’s checked. With the release of Summer ‘20, Salesforce even disabled the setting to grant users permission to View All Users.

3.   Disable API access

We’ve seen above that an API-led misconfiguration can open a back door for attacks into the Salesforce community. So, it’s essential to disable API access to avoid such attacks. Check that the “API enabled” is unchecked. Also, make sure to disable the “Access Activities” too. (But remember that even with “API enabled” setting is disabled, the Lightning APIs are still accessible.)

You should also continuously monitor sharing roles and permissions for guest and community users. Along with this, make sure that you are keeping track of what records your external users are owning, and what are the security implications of them owning specific records.

4.   Set a default owner for records by guest users

Navigate to the Administration workspace using the site builder. Set up a default owner for records created by guest users under Preferences, and turn off settings to let guest users view the site members.

Wrapping Up

Turning off access for guest users is a decision that might be different for different companies. Sometimes you cannot avoid collaborating in a community, and cannot completely cut off your guest users. But you can be a little more careful of any data you are accessing and sharing to your external users.

Even Salesforce preaches a ‘shared responsibility’ model when it comes to using the CRM and the data safely. Although Salesforce is making more and more efforts with each release to make the CRM more secure and convenient for users, it’s also up to you to follow all security guidelines and implement needed settings for better data security.

Following the basic security guidelines by Salesforce would also help you to be aware of some best practices to keep your Salesforce org secure. Additionally, the points we’ve covered above can help to keep those back doors closed that an unauthorized user with malicious intent can exploit.

If you are concerned about your data being exposed or unsafe, Book a FREE Salesforce security assessment, to see if you are at risk, or better yet, come visit us at our booth at Cactusforce.

SponsorsMarisa Hambleton