Home Many public Salesforce sites exposing private data

Many public Salesforce sites exposing private data

April 28 — Recent research has revealed that a shocking number of organizations — including banks and healthcare providers — are leaking private and personal information from their public Salesforce Community websites.

The data exposure is due to a misconfiguration in Salesforce Community that enables an unauthenticated user to access records that should only be accessible after going through the standard login process.

Salesforce Community

Organizations leverage Salesforce Community, a cloud-based software product, to quickly create websites. Once extant, users can access a Salesforce Community website in two different ways; authenticated access (requiring login) and guest user access (no login required).

The guest access capability enables unauthenticated users to see resources without logging in. However, on occasion, Salesforce administrators accidentally grant guest users access to internal resources, meaning that unauthorized users may be able to access an organization’s private data, leading to data leaks. If that sounds tame, see examples of incidents below…

State of Vermont

Until very recently, the U.S. State of Vermont had at least five separate Salesforce Community sites that permitted guest access to sensitive data, including a Pandemic Unemployment Assistance program that exposed an applicant’s full name, SSN, address, phone number and bank account number.

Scott Carbee, Vermont’s Chief Information Security Officer, says that his security teams have been working on a comprehensive review of their Salesforce Community sites. In the process, they’ve found one additional Salesforce site that was also misconfigured, allowing guests to access sensitive information.

“My team is frustrated by the permissive nature of the platform,” stated Carbee. By way of explanation, Carbee noted that all of the vulnerable sites were created quickly, in response to the coronavirus pandemic, and that they were not subjected to the typical security review process.

“During the pandemic, we were largely standing up tons of applications, and let’s just say a lot of them didn’t have the full benefit of our dev/ops processes,” said Carbee. “In our case, we didn’t have any native Salesforce developers when we had to suddenly stand up all these sites.”

DC Health

Earlier this week, a prominent cyber security researcher notified Washington D.C. city administrators of the fact that at least five different public DC Health websites were widely accessible. One of the DC Health Salesforce Community websites was designed for health professionals who wanted to renew licenses with the city. However, the site leaked an applicant’s full name, SSN, address, DOB, license number and more.

The city’s Chief Information Security Officer, Mike Rupert, initially stated that the District had hired a third-party to investigate the situation. He also stated that the District’s IT systems were not at risk of data loss due to the Salesforce configuration concern.

However, after being presented with a document that included the social security number of a health professional in Washington D.C. that was downloaded in real-time, Rupert revised his comments, acknowledging that his team had overlooked certain configuration settings.

In Washington D.C., health administrators are still reeling from a data breach that occurred earlier this year and that exposed the personal information for more than 56,000 people — including many members of Congress. The stolen data was later listed for sale on a cyber crime forum.

Salesforce’s response

Salesforce says that the data exposures can occur when customers’ access control permissions are misconfigured. The vulnerability does not stem from an issue inherent in the Salesforce platform itself.

“As previously communicated to all Experience Site and Sites customers, we recommend utilizing the Guest User Access Report Package to assist in reviewing access control permissions for unauthenticated users,” stated a September 2022 Salesforce advisory. The company also advises that users review the following help article — Best Practices  and Considerations When Configuring the Guest User Profile.

In a written statement, Salesforce explained that it is actively pursuing stronger data security mechanisms for organizations. In addition, Salesforce continues to release “robust tools and guidance” for customers, updating policies where needed, and proactively communicating with customers wherever possible.

For more on this story, click here. Want to stay up-to-date with trends in technology? Check out the CyberTalk.org newsletter. Sign up today to receive top-notch news articles, best practices and expert analyses; delivered straight to your inbox.