Servers hosting software sold by Salesforce are leaking sensitive data held by government agencies, banks and other organizations, according to a report published Friday by KrebsOnSecurity.
At least five separate sites controlled by the state of Vermont have allowed anyone to access sensitive data, Brian Krebs reported. The state’s Pandemic Unemployment Assistance program was one of those affected. It revealed the full names, social security numbers, addresses, phone numbers, email addresses and bank account numbers of the applicants. Like the other organizations that provide public access to private data, Vermont used Salesforce Community, a cloud-based software product designed to make it easy for organizations to quickly create websites.
Another affected Salesforce customer was Huntington Bank of Columbus, Ohio. It recently acquired TCF Bank, which used Salesforce Community to process commercial loans. The exposed data fields include names, addresses, social security numbers, titles, federal IDs, IP addresses, average monthly payrolls, and loan amounts.
Both the State of Vermont and Huntington Bank learned of the leaks when Krebs contacted them for comment. In both cases, the customers quickly removed public access to the sensitive information.
Salesforce Community websites can be configured to require authentication so that a limited number of authorized individuals can access sensitive data and internal resources. The sites can also be set up to allow anyone to have unauthenticated access to view public information. Administrators sometimes inadvertently allow unauthenticated visitors access to website sections that are only accessible to authorized employees.
Salesforce told Krebs that it provides customers with clear guidelines for configuring Salesforce Community to ensure what data is accessible to unauthenticated guests. The company pointed to sources here, here, and here.
Several people pushed back on that claim. One person is Scott Carbee, Vermont’s Chief Information Security Officer. He told Krebs that his team was “frustrated with the permissive nature of the platform.” Another critic is Doug Merrett, who first tried to raise awareness about the ease of misconfiguring Salesforce Community two years ago. On Friday, he elaborated on the issue in a post headlined The Salesforce Communities Security Issue.
“The problem was that you can ‘hack’ the URL to see default Salesforce pages – Account, Contact, User, etc,” Merrett wrote. This wouldn’t really be a problem, except that the admin didn’t expect you to see the default pages because they didn’t add the objects associated with the Aura community navigation and therefore didn’t create appropriate page layouts to include fields. hide that they would not have wanted the user to see.”
In Salesforce terms, Aura refers to reusable user interface components that can be applied to selected parts of a web page, from a single line of text to an entire app.
Krebs said he learned of the leaks from security researcher Charan Akiri, who identified hundreds of organizations with misconfigured Salesforce sites. Akiri said that of the many companies and government organizations he notified, only five eventually resolved the issues. None of them belonged to the public sector.
One organization that Krebs notified was the government of Washington, DC, which uses Salesforce Community for at least five public DC Health websites and leaked sensitive information. The district’s interim chief information security officer told Krebs he had the findings carried out by an outside consultant brought in to investigate. The third party, the CISO told Krebs, reported back that the sites were not vulnerable to data loss.
Krebs then provided a document containing a health worker’s social security number that he downloaded from DC Health while interviewing the CISO. The CISO then acknowledged that his team had overlooked some configuration settings.
