Script injection vulnerability discovered in Salesforce

Elastica discovered an injection vulnerability in Salesforce which opened the door for attackers to use a trusted Salesforce application as a platform to conduct phishing attacks to steal end-users’ login credentials and hijack accounts. On August 10, Salesforce patched the vulnerability.

Because the vulnerability existed in an actual Salesforce subdomain, end users receiving phishing emails with the URL would likely have had no way of identifying it as malicious and there is a high probability such a URL would not have been detected by spam filters or other anti-phishing solutions.

Researchers discovered the vulnerability in admin.salesforce.com, a subdomain used by Salesforce for blogging purposes. This particular subdomain was susceptible to a reflected Cross-site Scripting (XSS) vulnerability, where a specific function in the deployed application failed to filter the arbitrary input passed by the remote user as part of an HTTP request.

The use of Salesforce’s trusted server provided an opportunity for attackers to execute JavaScript to steal cookies and session identifiers, force users to visit phishing sites that extract credentials, and distribute malicious code to user machines. The flaw enabled attackers to:

• Execute JavaScript to steal cookies and session identifiers, which could have led to a potential Salesforce account takeover depending on Same Origin Policy (SOP).
• Force Salesforce users to visit phishing sites to potentially extract credentials via social engineering tricks; attackers could also have injected pop-up windows to facilitate phishing attacks.
• Force users to download malicious code on their machines by executing unauthorized scripts in the context of the browser running a vulnerable application.

“Exploitation of XSS vulnerabilities is among the most prolific methods of Web application hacking today,” said Dr. Aditya K. Sood, lead architect of Elastica Cloud Threat Labs. “Although this particular flaw was only present in a Salesforce subdomain, exploiting the trust of the company’s primary domain could have allowed attackers to easily implement phishing attacks to gain access to user credentials. With stolen credentials, attackers can then access users’ accounts and exfiltrate sensitive data undetected for long periods of time.”

Salesforce uses Single Sign On (SSO), enabling users to easily access a variety of integrated applications through a central login. If phishing attacks implemented through this vulnerability were successful, attackers who secure login credentials gained access to a host of other services, including cloud applications, potentially multiplying the effects of the breach significantly.