Are Salesforce Accounts Unsafe Due To Script Injection Vulnerability?

February 22, 2016 Business Management

According to some trusted sources, script injection vulnerability was discovered in well-known Salesforce Cloud CRM System. This could have made users susceptible to phishing emails from some trusted domain. It was however, regarded as a low-impact threat chiefly because it was found in a sub-domain and not in the main domain of Salesforce. Reports reveal that the vulnerability was patched up by Salesforce on August 10.

Quite recently a security issue was discovered in a Salesforce subdomain used actually for blogging purposes. It is understood that this sort of vulnerability or security issue could result in hacking of Salesforce accounts or distribution of malicious codes to the account users. Apparently Salesforce’s subdomain was susceptible to XSS, Cross-site Scripting vulnerability.

A particular function in the app was unable to either sanitize or filter the capricious input that was passed on as a HTTP request from a remote user. If the hacker had executed JavaScript relating to the app, the security and privacy of the Salesforce Users would have been compromised. Moreover, all Salesforce accounts across various applications were under security threat as Salesforce is used for SSO or Single Sign On to manage multiple accounts.

Vulnerability Exploitation Possibilities

Had the attacker executed the JavaScript for stealing session identifiers and cookies, it could virtually result in a Salesforce account takeover potentially as per SOP, Same Origin Policy.

The attacker had the power to make Salesforce users visit phishing sites for extracting credentials using social engineering tricks. He could have introduced pop-up windows for facilitating phishing attacks. The users could have been forced to download malicious code directly on their computers through the execution of unauthorized scripts.

Web application hacking is very much on the rise in the current scenario. Exploitation and manipulation of XSS vulnerabilities is surely one of the most prolific and prevalent ways of Web Application Hacking presently. Fortunately this particular vulnerability existed only in the Salesforce subdomain. However, the attacker could still manipulate the trust of Salesforce’s primary domain and helped attackers in easily implementing phishing attacks for acquiring access to Salesforce user credentials. It is fairly understood that the attackers would use stolen credentials for accessing user accounts and infiltrate super sensitive data that are undetected for extended time periods.

Vulnerability Disclosure to Salesforce

This vulnerability risk was revealed to Salesforce over a month back. However, Salesforce regarded it as not very serious as the vulnerability did not exist in its main salesforce.com website. According to Salesforce experts, the risk was not severe as only selected users could have been targeted. However, after realizing the potential threat of account takeover, the organization addressed the issue and the problem was mitigated successfully.

The Current Scenario

Most organizations have already started implementing cloud computing to competently address their business needs. Modern cloud computing seems way ahead in comparison to the time-consuming and costly conventional solutions. Cloud computing assures you of reduced capital expenditures, elimination of maintenance tasks, minimized app deployment times, inspiring the staff to add value to the core business. Most importantly cloud computing promises tight security thanks to latest security technologies. You must make sure that the cloud provider chosen by you offers top class privacy and security solutions for protecting your data efficiently.

Salesforce’s Promise

Salesforce.com, Inc. is truly committed to safeguarding the privacy of all those people who visit their websites, all those people who register for using their services and all those people who register for attending the organization’s corporate events. So, Salesforce assures all its visitors, customers and attendees foolproof security and privacy.