Salesforce Closes Door to Hack Attacks

An injection vulnerability that could have opened the door to hackers has been patched by Salesforce after security researchers notified the company of their discovery. The vulnerability, which existed in a subdomain of the Salesforce.com cloud-based CRM platform, could have paved the way for phishing e-mails that looked legitimate because they would have appeared to come from within the application itself.

Salesforce told us in a statement today that it investigated and fixed "a minor vulnerability impacting the blog site 'admin.salesforce.com,' which is not connected to the Salesforce application or customer data." The company added, "We have no evidence of impact to Salesforce customers or their data."

The patch was validated on Monday by Elastica, the San Jose-based cloud application security company that first discovered the vulnerability in early July. The apparently trustworthy phishing e-mails that could have been enabled by the vulnerability could have tricked users into providing legitimate login credentials that could have then been exploited, according to Elastica.

XSS Exploitation 'Most Prolific' Hack

Researchers in Elastica's Cloud Threat Labs said they discovered the vulnerability in a Salesforce subdomain used for blogging. The cross-site scripting XSS flaw failed to properly filter input from a remote user as part of an HTTP request, which could have allowed hackers to "steal cookies and session identifiers, force users to visit phishing sites that extract credentials, and distribute malicious code to user machines."

"Exploitation of XSS vulnerabilities is among the most prolific methods of Web application hacking today," said Aditya Sood, lead architect at Elastica's Cloud Threat Labs. "Although this particular flaw was only present in a Salesforce subdomain, exploiting the trust of the company's primary domain could have allowed attackers to easily implement phishing attacks to gain access to user credentials. With stolen credentials, attackers can then access users' accounts and exfiltrate sensitive...

Comments are closed.