Sensitive Corporate Data Exposed by Salesforce “Ghost Sites”

A team of researchers from Varonis Threat Labs recently made a significant discovery regarding certain Salesforce sites. These sites, known as Salesforce Ghost Sites, were once active sites that were left unattended. By exploiting vulnerabilities in the host headers of these websites, malicious actors can easily extract personally identifiable information (PII) and sensitive business data.

According to researchers at Varonis Threat Labs, it’s common for Salesforce sites to be neglected without being properly deactivated once they’re no longer needed. Due to the lack of maintenance, these unused sites are not subjected to vulnerability testing, and administrators neglect to update security measures in line with the latest guidelines, according to Varonis.

Varonis also discovered that numerous Salesforce sites, which were technically inactive but still operational, were continuing to retrieve new data. "The exposed data is not restricted to only old data from when the site was in use; it also includes new records that were shared with the guest user due to the sharing configuration in their Salesforce environment," stated the researchers.

As these outdated sites lack the latest security protections, it’s easy to exploit these ghost sites for all they are worth by threat actors. If left to continue undetected, and the Salesforce environment is set to continually share data, the threat actors could get a steady stream of new data and information.

Tools like SecurityTrails also allow threat actors to analyze indexed and archive DNS records, which makes identifying ghost sites easy. This means cybercriminals could specifically search for such ghost sites and target them.

To mitigate the risks associated with ghost sites, organizations are advised to maintain a comprehensive inventory of all Salesforce sites and carefully manage user permissions. It is also recommended to ensure proper deactivation of sites that are no longer in use.