Some organizations can expose sensitive personal and corporate information by failing to properly deactivate Salesforce Community websites that are no longer used, according to data security and analytics company Varonis.
Varonis reported identifying many such improperly deactivated websites, which the company has dubbed ‘Salesforce ghost sites’. These sites have been found to expose personally identifiable information and business data that should not be accessible.
“The exposed data is not restricted to only old data from when the site was in use; it also includes new records that were shared with the guest user due to the sharing configuration in their Salesforce environment,” Varonis warned.
Ghost sites are Salesforce Communities that have been abandoned — they are still accessible, but no longer monitored or protected.
Companies can set up Salesforce Community websites where they share information and enable users to connect and collaborate. These sites are hosted on domains such as ‘partners.acme.org.00d400.live.siteforce.com’, but they can be made accessible through a shorter URL such as ‘partners.acme.org’ by configuring DNS records.
Ghost sites, according to Varonis, emerge when a company replaces a Salesforce site with, for instance, a website running in their AWS environment. The ‘partners.acme.org’ domain is pointed to the new site, but the custom Salesforce domain continues to exist.
“Varonis Threat Labs researchers discovered that many companies stop at just modifying DNS records. They do not remove the custom domain in Salesforce, nor do they deactivate the site. Instead, the site continues to exist, pulling data and becoming a ghost site,” Varonis explained.
Tools such as SecurityTrails can be used to identify ghost sites based on indexed and archived DNS records.
These unmaintained websites can be more vulnerable to attacks as they could have unpatched security holes.
“To solve the problem of ghost sites — and to mitigate other threats — sites that are no longer in use should be deactivated. It’s important to keep track of all Salesforce sites and their respective users’ permissions — including both community and guest users,” Varonis recommended.
This is not the first time Varonis has warned organizations about security risks associated with the use of Salesforce Communities and the potential exposure of sensitive data.
Related: Faulty Database Script Exposed Salesforce Data to Wrong Users
Related: Salesforce Paid Out $12.2 Million in Bug Bounty Rewards to Date
