Elastica, the leader in Data Science Powered™ Cloud Application Security, today released details about an injection vulnerability disclosed to Salesforce in early July which opened the door for attackers to use a trusted Salesforce application as a platform to conduct phishing attacks to steal end-users’ login credentials and hijack accounts. On August 10, Salesforce patched the vulnerability, a finding validated by Elastica researchers.
Because the vulnerability existed in an actual Salesforce subdomain, end users receiving phishing emails with the URL would likely have had no way of identifying it as malicious and there is a high probability such a URL would not have been detected by spam filters or other anti-phishing solutions. This vulnerability could have been used to attack Salesforce end users, steal credentials and ultimately hijack accounts. Elastica researchers considered this to be a threat, as millions of users around the world log in to Salesforce every day.
Elastica reported the discovery to Salesforce, following standard disclosure guidelines for giving the company time to respond and address the issue. Elastica also provided details on how to mitigate the vulnerability. Because the vulnerability existed in a subdomain, versus the primary Salesforce website, Salesforce considered it a low-impact threat.
Elastica Cloud Threat Labs discovered the vulnerability in “admin.salesforce.com, a subdomain used by Salesforce for blogging purposes. According to threat researchers, this particular subdomain was susceptible to a reflected Cross-site Scripting (XSS) vulnerability, where a specific function in the deployed application failed to filter the arbitrary input passed by the remote user as part of an HTTP request. The use of Salesforce’s trusted server provided an opportunity for attackers to execute JavaScript to steal cookies and session identifiers, force users to visit phishing sites that extract credentials, and distribute malicious code to user machines.
As detailed in the Elastica blog, the flaw enabled attackers to:
- Execute JavaScript to steal cookies and session identifiers, which could have led to a potential Salesforce account takeover depending on Same Origin Policy (SOP).
- Force Salesforce users to visit phishing sites to potentially extract credentials via social engineering tricks; attackers could also have injected pop-up windows to facilitate phishing attacks, as demonstrated on the blog.
- Force users to download malicious code on their machines by executing unauthorized scripts in the context of the browser running a vulnerable application.
“Exploitation of XSS vulnerabilities is among the most prolific methods of Web application hacking today,” said Dr. Aditya K. Sood, lead architect of Elastica Cloud Threat Labs. “Although this particular flaw was only present in a Salesforce subdomain, exploiting the trust of the company’s primary domain could have allowed attackers to easily implement phishing attacks to gain access to user credentials. With stolen credentials, attackers can then access users’ accounts and exfiltrate sensitive data undetected for long periods of time.”
Salesforce uses Single Sign On (SSO), enabling users to easily access a variety of integrated applications through a central login. If phishing attacks implemented through this vulnerability were successful, attackers who secure login credentials gained access to a host of other services, including cloud applications, potentially multiplying the effects of the breach significantly.
The use of SSO makes this vulnerability a viable threat to all SaaS applications. If user login credentials are compromised, the attackers have the ability to infiltrate a variety of cloud applications accessible through the service. The Elastica CloudSOC solution mitigates this risk by using advanced data science to detect malicious behavior occurring within these apps and enables organizations to take immediate action if breached.
About Elastica :
Elastica is the leader in Data Science Powered™ Cloud Application Security. Its CloudSOCTM platform empowers companies to confidently leverage cloud applications and services while staying safe, secure and compliant. A range of Elastica Security Apps deployed on the extensible CloudSOCTM platform deliver the full life cycle of cloud application security, including auditing of shadow IT, real-time detection of intrusions and threats, protection against intrusions and compliance violations, and investigation of historical account activity for post-incident analysis. Elastica is venture-backed by the Mayfield Fund, Pelion Ventures, Third Point Ventures and is headquartered in San Jose, CA.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.