A new security advisory warns Salesforce users with custom instances to check for common programming errors and misconfigurations that can expose their sales data.
At the heart of the problem is the Apex programming language, a Java-like tool that allows companies to add functionality to their Salesforce instances and developers to create apps for the Salesforce AppExchange marketplace. Simple errors and misconfigurations while using the tool, however, can result in vulnerabilities that undermine the security of enterprise Salesforce applications, say security experts at data security firm Varonis.
Varonis researchers found that several government organizations and enterprises had customized or added features to their Salesforce Apex code that leaked data, allowed data corruption, or allowed an attacker to disrupt business functions. The data at risk included sensitive information such as phone numbers, home addresses and SSNs, but also credentials, such as usernames and passwords, says Nitay Bachrach, senior security researcher at Varonis, who conducted the assessment.
“In some cases, the exploitation was very complicated and required internally developed techniques, while in others it was a simple oversight: the guest user was simply able to execute code without reason and this leaked sensitive data,” he explained. she says. “Under the shared responsibility model, users have the choice to write code, but they are also responsible for ensuring it is secure. Salesforce is not responsible for Apex code… uploaded by users to their Salesforce instances.”
Salesforce Account and “Lax” Permissions.
Varonis is the latest security company to do so warns of common configuration errors in Salesforce sites and applications, which often ran with permissive permissions. The combination of a lack of security oversight of custom Apex code used in internal Salesforce instances and other components such as Lightning Communities has led to vulnerable cloud sites and applications, according to SaaS security firm AppOmni stated in a research paper in 2021.
In 2023, security researcher Charan Akiri, now on Reddit, discovered that Salesforce Apex misconfigurations allowed access to data on more than 100 websites belonging to public bodies and large companies, such as banks and hospitals.
The problem is likely widespread because the platform makes it easy to bypass permissions, says Brian Soby, chief technology officer and co-founder of AppOmni, who has worked in product security at Salesforce for more than five years.
“By default, Apex can access any data, and it doesn’t matter if the calling user is allowed to access that data,” he says. “So you can have a very limited user calling a VisualForce page or an Apex… and they might ask [for] data they can’t get themselves, all because Apex works with elevated permissions.”
Dangers related to Apex configuration
At the heart of Apex issues is whether a developer designates an Apex class as “with sharing” or “without sharing.” Confusingly, the “no sharing” designation is the more dangerous of the two, as it allows Apex code to ignore the user’s permission, modify any record, and apply those changes, Varonis said in his notice.
“Apex classes that run ‘without sharing,’ ignoring user permissions, are a powerful and important feature often required for proper operation,” the advisory states. “However, with great power comes great responsibility. This mode increases risk and should be used with caution, especially if assigned to guests or external users.”
When set to “no sharing”, the service is vulnerable to insecure direct object references (IDORs), often called Broken Object Level Authorization (BOLA) flaws. In 2023, the Open Worldwide Application Security Project (OWASP) has released an updated list of the top 10 API security issues which listed IDOR as the top risk for APIs. The “no sharing” attribute also allows for more traditional flaws, such as database injection attacks, through Apex code.
While Salesforce did not directly comment on Varonis’ research, the company stressed that security is an important issue. In August 2023 the company published the first 20 issues which it discovered through security scans of Apex apps published on its AppExchange marketplace. Sharing violations ranked third on the list.
“Nothing is more important to us than the security of customer data,” a Salesforce spokesperson said in a statement provided to Dark Reading. “In addition to our secure coding guidelines, which walk customers through common security issues that Salesforce has identified when auditing applications built on or integrated with the Lightning platform, we offer [several] services” for protect applications and datathe spokesperson said.
How to secure your Salesforce app
Varonis recommends that Salesforce developers avoid “no sharing” configurations when possible, control all user-supplied input, and be careful when allowing guest users and external users any access to Apex classes.
Conducting a security assessment of all custom and third-party Apex software is critical, says Varonis’ Bachrach.
“We recommend securing all Apex classes, but prioritize those that can be managed by guest users, followed by those that can be managed by external actors such as customers or partners,” he says. “Organizations need to follow best practices but also track access. They should keep the principle of least privilege in mind when writing code and managing access to Apex classes.”
Companies need to make sure their developers are trained on how to securely build and manage Salesforce applications and instances and enforce good security posture, says AppOmni’s Soby. She’s seen companies post links to specific pages that don’t require special permissions, giving them, in theory, a launching pad for attacks.
“Salesforce didn’t set it up this way by default – the customer is shooting themselves in the foot, because they either didn’t know what they were doing or didn’t understand the ramifications of what is, quite a bit, a very complicated setup process,” he claims. “Or they say, ‘We’ll just take the shortcut, and maybe no one will notice,’ and in the meantime, some script kitty runs the code they found on GitHub and sucks up all your sales forecasts.”