Beware of Ghost Sites: Silent Threat Lurking in Your Salesforce Communities
Improperly
deactivated
and
abandoned
Salesforce
Sites
and
Communities
(aka
Experience
Cloud)
could
pose
severe
risks
to
organizations,
leading
to
unauthorized
access
to
sensitive
data.
Data
security
firm
Varonis
dubbed
the
abandoned,
unprotected,
and
unmonitored
resources
“ghost
sites.”
“When
these
Communities
are
no
longer
needed,
though,
they
are
often
set
aside
but
not
deactivated,”
Varonis
Threat
Labs
researchers
said
in
a
new
report
shared
with
The
Hacker
News.
“Because
these
unused
sites
are
not
maintained,
they
aren’t
tested
against
vulnerabilities,
and
Admins
fail
to
update
the
site’s
security
measures
according
to
newer
guidelines.”
Varonis
said
it
found
many
of
these
deactivated
(but
still
active)
sites
still
fetching
new
data,
thereby
allowing
threat
actors
to
extract
data
by
manipulating
the
host
header
in
the
HTTP
request.
Identifying
the
complete
internal
URLs
associated
with
the
sites
is
challenging
but
not
impossible,
as
an
adversary
could
leverage
tools
like
SecurityTrails
that
track
changes
to
DNS
records.
UPCOMING
WEBINAR
Zero
Trust
+
Deception:
Learn
How
to
Outsmart
Attackers!
Discover
how
Deception
can
detect
advanced
threats,
stop
lateral
movement,
and
enhance
your
Zero
Trust
strategy.
Join
our
insightful
webinar!
Compounding
the
risk
further
is
the
fact
that
the
obsolete
sites
lack
the
latest
security
protections,
making
them
an
ideal
target
for
threat
actors
looking
to
siphon
sensitive
information.
“The
exposed
data
is
not
restricted
to
only
old
data
from
when
the
site
was
in
use;
it
also
includes
new
records
that
were
shared
with
the
guest
user,
due
to
the
sharing
configuration
in
their
Salesforce
environment,”
the
researchers
said.
To
mitigate
the
threats
associated
with
ghost
sites,
organizations
are
advised
to
keep
track
of
all
Salesforce
sites
and
their
respective
users’
permissions.
It’s
also
recommended
to
properly
deactivate
sites
that
are
no
longer
in
use.