According to mail published Friday by KrebsOnSecurity.
According to Brian Krebs, at least five separate sites run by the state of Vermont allowed access to sensitive data to anyone. Among those affected was the state unemployment assistance program in connection with the pandemic. It disclosed the applicants’ full names, social security numbers, addresses, phone numbers, email addresses, and bank account numbers. Like other organizations that provide public access to personal data, Vermont used Salesforce Community, a cloud-based software product designed to make it easy for organizations to quickly create websites.
Another affected Salesforce customer was Huntington Bank of Columbus, Ohio. He recently acquired TCF Bank, which used Salesforce Community to process commercial loans. Available data fields included names, addresses, social security numbers, job titles, federal IDs, IP addresses, average monthly wages, and loan amounts.
Both the state of Vermont and Huntington Bank became aware of the leak when the cancer contacted them for comment. In both cases, clients quickly closed public access to confidential information.
Salesforce community websites can be configured to require authentication so that a limited number of authorized people can access sensitive data and internal resources. Sites can also be configured so that anyone can gain unauthenticated access to view public information. Administrators sometimes inadvertently allow unauthenticated visitors to access areas of the website that are reserved for authorized employees only.
Salesforce told Krebs that it is providing clear instructions for customers to set up a Salesforce community to provide data access for unauthenticated guests. The company pointed to the resources Here, HereAnd Here.
Several people have refuted this claim. One of them is Vermont Information Security Director Scott Carby. He told Krebs that his team was “disappointed by the liberal nature of the platform”. Another critic is Doug Merrett, who first attempted to raise awareness two years ago about the ease of misconfiguring the Salesforce community. On Friday, he elaborated on the problem in a post titled Salesforce Communities Security Issue.
“The problem was that you could hack the URL to see the standard Salesforce pages — Account, Contact, User, etc.,” Merrett wrote. “This wouldn’t actually be a problem, except that the admin didn’t expect you to see the standard pages as they didn’t add objects related to the Aura community navigation and therefore didn’t create the appropriate page layouts to hide the margins that they don’t want the user to see.”
In Salesforce parlance, Aura refers to reusable user interface components that can be applied to selected parts of a web page, from a single line of text to an entire application.
Krebs said he learned about the leaks from security researcher Charan Akiri, who identified hundreds of organizations with misconfigured Salesforce sites. Akiri said that of the many companies and government organizations he reported, only five ended up fixing the problems. None of them were in the public sector.
One cancer organization notified was the government of Washington, D.C., which uses Salesforce Community for at least five DC Health public websites and leaked sensitive information. The county’s interim director of information security told Krebs that she had reviewed the findings of an outside consultant brought in to investigate. The third party, the CIO told Krebs, said the sites were not susceptible to data loss.
Cancer then provided a document with a healthcare worker’s social security number, which he downloaded from DC Health when he interviewed the director of information security. The chief information security officer then admitted that his team had overlooked some configuration settings.