Salesforce users with customized instances are advised by a new security advisory to look for common programming errors and misconfigurations that could expose their sales data.
The core of the issue is the Apex programming language, a Java-like tool that enables developers to make apps for the Salesforce AppExchange marketplace and businesses to enhance the functionality of their Salesforce instances. However, according to security experts at data security company Varonis, basic mistakes and misconfigurations made while utilizing the tool can lead to vulnerabilities that compromise the security of corporate Salesforce systems.
Researchers at Varonis revealed that a number of businesses and government agencies have modified or added elements to their Salesforce Apex code that made data leaks possible, allowed for data corruption, or gave an attacker access to disrupt regular corporate operations. According to Nitay Bachrach, senior security researcher at Varonis, who carried out the evaluation, the at-risk data contained credentials like usernames and passwords in addition to personal data including phone numbers, home addresses, and SSNs.
The most recent security company to alert users to frequent setup errors in Salesforce websites and apps—many of which are running with slack permissions—is Varonis. SaaS security firm AppOmni claimed in a study paper from 2021 that insecure websites and cloud apps were caused by the combination of other elements like Lightning Communities and the absence of security review of bespoke Apex code used in internal Salesforce instances.
In 2023, Salesforce Apex misconfigurations made data accessible on over 100 websites owned by government organizations and major corporations, including banks and hospitals, according to security researcher Charan Akiri, who is currently employed at Reddit.
