Thursday, August 13th, 2015 - NewsMaker

Attackers Could Have Used Injection Vulnerability to Exploit Web Applications, Launch Phishing Attacks, Steal Login Credentials and Hijack Salesforce User Accounts; Salesforce Addresses Issue

SAN JOSE, CA -- (Marketwired) -- Aug 12, 2015 -- Elastica (www.elastica.net), the leader in Data Science Powered™ Cloud Application Security, today released details about an injection vulnerability disclosed to Salesforce in early July which opened the door for attackers to use a trusted Salesforce application as a platform to conduct phishing attacks to steal end-users' login credentials and hijack accounts. On August 10, Salesforce patched the vulnerability, a finding validated by Elastica researchers.

Because the vulnerability existed in an actual Salesforce subdomain, end-users receiving phishing emails with the URL would likely have had no way of identifying it as malicious and there is a high probability such a URL would not have been detected by spam filters or other anti-phishing solutions. This vulnerability could have been used to attack Salesforce end-users, steal credentials and ultimately hijack accounts. Elastica researchers considered this to be a threat, as millions of users around the world log in to Salesforce every day.

Elastica reported the discovery to Salesforce, following standard disclosure guidelines for giving the company time to respond and address the issue. Elastica also provided details on how to mitigate the vulnerability. Because the vulnerability existed in a subdomain versus the primary Salesforce website, Salesforce considered it a low-impact threat.

Elastica Cloud Threat Labs discovered the vulnerability in "admin.salesforce.com," a subdomain used by Salesforce for blogging purposes. According to threat researchers, this particular subdomain was susceptible to a reflected Cross-site Scripting (XSS) vulnerability, where a specific function in the deployed application failed to filter the arbitrary input passed by the remote user as part of an HTTP request. The use of Salesforce's trusted server provided an opportunity for attackers to execute JavaScript to steal cookies and session identifiers, force users to visit phishing sites that extract credentials, and distribute malicious code to user machines. As detailed in the Elastica blog, the flaw enabled attackers to:

  • Execute JavaScript to steal cookies and session identifiers, which could have led to a potential Salesforce account takeover depending on Same Origin Policy (SOP).
  • Force Salesforce users to visit phishing sites to potentially extract credentials via social engineering tricks; attackers could also have injected pop-up windows to facilitate phishing attacks, as demonstrated on the blog.
  • Force users to download malicious code on their machines by executing unauthorized scripts in the context of the browser running a vulnerable application.

"Exploitation of XSS vulnerabilities is among the most prolific methods of Web application hacking today," said Dr. Aditya K. Sood, lead architect of Elastica Cloud Threat Labs. "Although this particular flaw was only present in a Salesforce subdomain, exploiting the trust of the company's primary domain could have allowed attackers to easily implement phishing attacks to gain access to user credentials. With stolen credentials, attackers can then access users' accounts and exfiltrate sensitive data undetected for long periods of time."

Salesforce uses Single Sign On (SSO), enabling users to easily access a variety of integrated applications through a central login. If phishing attacks implemented through this vulnerability were successful, attackers who secure login credentials gained access to a host of other services, including cloud applications, potentially multiplying the effects of the breach significantly.

The use of SSO makes this vulnerability a viable threat to all SaaS applications. If user login credentials are compromised, the attackers have the ability to infiltrate a variety of cloud applications accessible through the service. The Elastica CloudSOC solution mitigates this risk by using advanced data science to detect malicious behavior occurring within these apps and enables organizations to take immediate action if breached.

For an in-depth analysis of the Salesforce XSS flaw and accompanying video, please visit the Elastica Cloud Threat Labs blog: https://www.elastica.net/?p=2455

Interact with Elastica:
Join Elastica on LinkedIn: https://www.linkedin.com/company/elastica
Like Elastica on Facebook: https://www.facebook.com/ElasticaInc
Follow Elastica on Twitter: https://twitter.com/elasticainc

About Elastica:
Elastica is the leader in Data Science Powered™ Cloud Application Security. Its CloudSOC™ platform empowers companies to confidently leverage cloud applications and services while staying safe, secure and compliant. A range of Elastica Security Apps deployed on the extensible CloudSOC™ platform deliver the full life cycle of cloud application security, including auditing of shadow IT, real-time detection of intrusions and threats, protection against intrusions and compliance violations, and investigation of historical account activity for post-incident analysis. Elastica is venture-backed by the Mayfield Fund, Pelion Ventures, Third Point Ventures and is headquartered in San Jose, CA.

Learn more about Elastica at http://www.elastica.net.

Media Contact for Elastica
Aparna Aswani
Bhava Communications for Elastica
[email protected]
415-699-8331 


Contact Profile

NewsMaker


NewsMaker is an Australian Press Release Distribution and Social Media Marketing service founded in 2004. The company today represents over 22,000 brands who seek to share their content with journalists, bloggers and the community.


Newsmaker Editors
P: +61 414 69 70 71
W: www.newsmaker.com.au

Keywords

Elastica Cloud Threat Labs Discloses Script Injection Vulnerability Salesforce

Categories

Sharing

More Formats