Researchers at Varonis Threat Labs discovered that some Salesforce sites were improperly deactivated or unmaintained SalesforceGhost Sites.
Threat actors can exfiltrate PII and business data by simply manipulating the host headers for these websites.
Salesforce partners and customers are provided an option to create customized communities to help them collaborate.
When these communities are not needed, they are set aside instead of deactivated.
In addition to this, these kinds of community sites are not maintained, which means that they are not scanned or tested for vulnerabilities.
Admins often fail to security test these websites due to the newer guidelines for site security.
However, researchers discovered that these websites can still pull data from Salesforce sites. These sites are very within reach for threat actors and easily exploitable.
As these sites are unmonitored, threats often go undetected and are exploited by threat actors. These sites are named “Ghost Sites.”
Ghost Sites Arise
Companies often create custom domain names for their users to browse their Salesforce sites.
For instance, If “Acme” decides to partner up with Salesforce, instead of creating “acme.org/partners”, partners.acme.org is created, which is DNS configured to point towards partners.acme.org.00d400.live.siteforce.com (Salesforce Website).
However, for the new DNS record to work, it should have a CNAME entry that points to the FQDN (Fully Qualified Domain Name).
It is then followed by the organization ID (00d400) and live.siteforce.com.
Now, people who visit partners.acme.org will be able to browse Acme’s Salesforce website. Nevertheless, the original problem arises when Acme chooses a new vendor instead of Salesforce.
Birth of a Ghost Site
If Acme goes with another vendor who runs their application on the AWS environment, Acme will modify the DNS record of “partners.acme.org” to point towards the new vendor.
The partners.acme.org.00d400.live.siteforce.com is not entirely removed, which continues to pull data from Salesforce and becomes a ghost site.
Exploiting these Ghost Sites
Though it is not as simple as calling a Salesforce endpoint like “Aura” to extract information, it is still possible for threat actors with the right methodology.
Since these sites are still active in Salesforce, the siteforce (Salesforce) domain will resolve, but accessing information will take some effort.
Once these websites are detected, threat actors can modify the host header, resulting in Salesforce serving the website to the threat actor.
This is because Salesforce thinks that this website is being accessed by partners.acme.org.
Full Internal URLs will also make these websites accessible to threat actors. Full internal URLs can be extracted by using tools like SecurityTrails, which make these ghost sites visible.
Old websites in these circumstances are less secure and decrease the effort of an attack.
Researchers found many ghost sites that provide much more PII (Personally Identifiable Information) and sensitive business data easily accessible.
Data exposure was not limited to old data but also new records shared with guest users. This was because of the sharing configuration in Salesforce environments.
- Sites that are no longer in use must be deactivated.
- Keeping track of all the Salesforce sites and their user permission is highly recommended
- Subdomain cleanup can be done to keep track of all the active and inactive domains.
Struggling to Apply The Security Patch in Your System? –
Try All-in-One Patch Manager Plus