Wednesday, June 19, 2024

Apex Code Vulnerabilities Let Hackers Steal Salesforce Data

Hackers target Apex code vulnerabilities in Salesforce to exploit security weaknesses, gain unauthorized access to sensitive data, or manipulate the system.

Apex is a powerful language that enables the customization of Salesforce with Java-like syntax. It executes logic, controls transactions, and responds to system events. 

This is primarily used for business logic and is triggered by web services and object events.

Cybersecurity researchers at Varonis Threat Labs recently discovered serious Apex vulnerabilities in multiple Fortune 500 companies and government agencies.

While researchers promptly reported and alerted the affected companies, the vulnerabilities were marked with high and critical severity tags.

Document
Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks.

Apex Code Vulnerabilities

The Apex code can be run in two different modes:-

‘Without sharing’ in Apex disregards user permissions, which grants unrestricted access and modification. 

‘With sharing’ respects record-level permissions while overlooking object and field-level restrictions.

Running Apex classes ‘without sharing’ grants powerful capabilities but raises risks. It can lead to insecure data access (IDOR) and vulnerabilities like SOQL injection, Varonis said.

Besides this, the misuse by external users or guests poses data integrity threats. VTL demonstrates exploiting Apex vulnerabilities to access user data without permission. 

Using a Salesforce environment with real code issues, the instance shows how attackers can abuse aura methods for reconnaissance.

This enables the extraction of sensitive data like phone or social security numbers.

Using the aura method (Source - Varonis)
Using the aura method (Source – Varonis)

Despite a custom field ‘VerySecretFlag__c,’ users can’t access others’ data. Even ‘CreatedBy.VerySecretFlag__c’ fails, and guests also lack access. 

To bypass this, researchers exploited the ‘apex://CaseCreationController/ACTION$createCaseR’ via a custom Apex class, which is callable with Aura, specifying desired field returns.

The case retrieved solely via Apex is inaccessible by other means that hint at ‘without sharing’ mode. To access ‘VerySecretFlag,’ an attacker exploits this by specifying desired fields, like ‘CreatedBy.VerySecretFlag__c,’ via an over-permissive class by accessing data from other objects.

Apex is essential in Salesforce, but reviewing classes, especially ‘without sharing,’ boosts security as manual checks are time-consuming. 

Both the Profiles and Permission Sets need to be examined to determine access. Access setup through Salesforce setup and then navigate to the Profiles. 

Besides this, review each profile’s ‘Enabled Apex Class Access’ section.

Enabled Apex Class Access (Source - Varonis) 
Enabled Apex Class Access (Source – Varonis) 

To verify the access, check Permissions Sets for each entry. Review users assigned to Profiles and Permission Sets. Examine class source code for the ‘without sharing’ declaration. 

With Event Monitoring, track user calls and adjust permissions. Ensure safe coding practices, like using ‘:queryName’ syntax in SOQL to prevent injection.

Moreover, consider adding “WITH SHARING_ENFORCED” to your queries to enforce object- and field-level permissions. Adding “WITH SHARING_ENFORCED” only affects SELECT clauses and not WHERE clauses.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Website

Latest articles

Amtrak Data Breach: Hackers Accessed User’s Email Address

Amtrak notified its customers regarding a significant security breach involving its Amtrak Guest Rewards...

Chrome Security Update – Patch for 6 Vulnerabilities

Google has announced a new update for the Chrome browser, rolling out version 126.0.6478.114/115...

Hackers Weaponize Windows Installer (MSI) Files to Deliver Malware

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by a threat actor group,...

Hackers Using VPNs To Exploit Restrictions & Steal Mobile Data

Hackers are offering "free" mobile data access on Telegram channels by exploiting loopholes in...

New PhaaS Platform Lets Attackers Bypass Two-Factor Authentication

Several phishing campaign kits have been used widely by threat actors in the past....

Stuxnet, The Malware That Propagates To Air-Gapped Networks

Stuxnet, a complex worm discovered in 2010, targeted Supervisory Control and Data Acquisition (SCADA)...

Threat Actors Claiming Breach of AMD Source Code on Hacking Forums

A threat actor named " IntelBroker " claims to have breached AMD in June...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles