Cyber Security News

Ghost Sites – Hackers May Steal Corporate Data From Deactivated Salesforce Communities

Researchers at Varonis Threat Labs discovered that some Salesforce sites were improperly deactivated or unmaintained SalesforceGhost Sites.

Threat actors can exfiltrate PII and business data by simply manipulating the host headers for these websites.

Salesforce partners and customers are provided an option to create customized communities to help them collaborate.

When these communities are not needed, they are set aside instead of deactivated

In addition to this, these kinds of community sites are not maintained, which means that they are not scanned or tested for vulnerabilities.

Admins often fail to security test these websites due to the newer guidelines for site security.

However, researchers discovered that these websites can still pull data from Salesforce sites. These sites are very within reach for threat actors and easily exploitable.

As these sites are unmonitored, threats often go undetected and are exploited by threat actors. These sites are named “Ghost Sites.”

Ghost Sites Arise

Companies often create custom domain names for their users to browse their Salesforce sites.

For instance, If “Acme” decides to partner up with Salesforce, instead of creating “”, is created, which is DNS configured to point towards (Salesforce Website)

However, for the new DNS record to work, it should have a CNAME entry that points to the FQDN (Fully Qualified Domain Name).

It is then followed by the organization ID (00d400) and

Now, people who visit will be able to browse Acme’s Salesforce website. Nevertheless, the original problem arises when Acme chooses a new vendor instead of Salesforce.

Birth of a Ghost Site

If Acme goes with another vendor who runs their application on the AWS environment, Acme will modify the DNS record of “” to point towards the new vendor.

The is not entirely removed, which continues to pull data from Salesforce and becomes a ghost site.

Exploiting these Ghost Sites

Though it is not as simple as calling a Salesforce endpoint like “Aura” to extract information, it is still possible for threat actors with the right methodology.

Since these sites are still active in Salesforce, the siteforce (Salesforce) domain will resolve, but accessing information will take some effort.

Once these websites are detected, threat actors can modify the host header, resulting in Salesforce serving the website to the threat actor.

This is because Salesforce thinks that this website is being accessed by

Full Internal URLs will also make these websites accessible to threat actors. Full internal URLs can be extracted by using tools like SecurityTrails, which make these ghost sites visible.

Old websites in these circumstances are less secure and decrease the effort of an attack.

Researchers found many ghost sites that provide much more PII (Personally Identifiable Information) and sensitive business data easily accessible.

Data exposure was not limited to old data but also new records shared with guest users. This was because of the sharing configuration in Salesforce environments.


  • Sites that are no longer in use must be deactivated.
  • Keeping track of all the Salesforce sites and their user permission is highly recommended
  • Subdomain cleanup can be done to keep track of all the active and inactive domains.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

FishXProxy Fuels Phishing Attacks with Clever Deceptive Attacks

Imagine receiving an email that looks legitimate, down to the last detail. This is the…

2 hours ago

Beware of Phishing Attack that Abuses SharePoint Servers

A massive phishing campaign exploits Microsoft SharePoint servers to host malicious PDFs containing phishing links.…

3 hours ago

Apple Warns of Users in 98 Countries of Targeted Spyware Attacks

Apple has alerted iPhone users in 98 countries about potential mercenary spyware attacks. This marks…

5 hours ago

Citrix NetScaler ADC & Gateway Impacted by regreSSHion RCE Vulnerability

Qualys discovered a critical remote unauthenticated code execution (RCE) vulnerability, CVE-2024-6387, in OpenSSH’s server (sshd).…

6 hours ago

4000+ Domains Used By FIN7 Actors Mimic Popular Brands

Russian-linked FIN7 (aka Sangria Tempest, ATK32, Carbon Spider, Coreid, ELBRUS, G0008, G0046, and GOLD NIAGARA)…

6 hours ago

CISA Warns of Hackers Exploiting OS Command Injection Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have…

1 day ago