"Evidence indicates the threat actor is leveraging a modified version of the open-source tool AuraInspector to perform mass scanning of public-facing Experience Cloud sites. While the original AuraInspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose, the actor has developed a custom version of the tool capable of going beyond identification to actually extract data - exploiting overly permissive guest user settings."
"Publicly accessible Salesforce sites use a dedicated guest user profile that enables an unauthenticated user to access landing pages, FAQs, and knowledge articles. However, if this profile is misconfigured with excessive permissions, it can potentially grant unauthenticated users access to more data than intended."
"At this time, we have not identified any vulnerability inherent to the Salesforce platform associated with this activity. These attempts exploit overly permissive guest user configurations rather than a flaw in the platform itself, requiring customers to be using the guest user profile and have not adhered to Salesforce's recommended configuration guidance."
Salesforce has identified increased threat actor activity targeting publicly accessible Experience Cloud sites through exploitation of misconfigured guest user permissions. Attackers are using a customized version of AuraInspector, an open-source security auditing tool originally released by Mandiant, to scan and extract data from vulnerable sites. Unlike the original tool which only identifies misconfigurations, the modified version actively extracts sensitive data. The vulnerability stems from overly permissive guest user profiles that grant unauthenticated users excessive access to CRM objects. Salesforce emphasizes this is not a platform vulnerability but rather results from customers failing to follow recommended configuration guidance when setting up guest user profiles for their Experience Cloud sites.
#salesforce-security #experience-cloud-exploitation #misconfiguration-vulnerabilities #aurainspector-tool #guest-user-permissions
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]