Many Public Salesforce Sites are Leaking Private Data

Apparently a large number of Salesforce Community web sites are leaking private and sensitive data.

Salesforce Community is a way to deploy web sites quickly.

Just not securely.

For example, the state of Vermont had at least 5 different community sites open to the public and by open, I mean leaking names, socials, address, phone number, email and bank account numbers, for example.

Vermont said, well, we were in a hurry during the pandemic, and we didn’t actually worry much about security.

Other well known businesses found to be leaking data include:

Huntington bank’s TCF Bank division was leaking commercial loan data
Washington DC had at least five different public health websites leaking sensitive data

The researcher who discovered this identified hundreds of web sites leaking data.

Of course, the typical government response was “we investigated and we are not leaking data”. Denial is more than a river in Egypt. So, security journalist Brian Krebs provided DC’s interim CISO a document that he downloaded in real time from the DC Health public website that contained the social of a health professional. When confronted with reality, he changed his tune. In other words, the strategy may be deny then secretly fix the problem. Or even worse, don’t fix it and hope it all goes away.

In Salesforce’s defense, they do have tools to HELP developers not do bad things, but you have to use them and use them correctly.

This is not limited to Salesforce; this can be a problem with any cloud solution.

This means that developers need to test for access controls to make sure that you are not leaking data unintentionally. Penetration tests, as these tests are called, are mandated in almost all regulatory standards and must be done frequently as things change. Credit: Brian Krebs