Salesforce Patches XSS on a Subdomain

Salesforce.com patched a cross-site scripting vulnerability on one of its domains that could have led to phishing attacks.

Salesforce.com has patched a vulnerability on one of its subdomains that exposed users to account takeover, phishing attacks and the installation of malicious code.

The vulnerability was disclosed yesterday by researcher Aditya K. Sood of Elastica Cloud Threat Labs.

Sood said admin.salesforce.com was vulnerable to a cross-site scripting attack that has since been patched after it was reported more than a month ago. Salesforce, Sood wrote in a blogpost, said the vulnerability posed less of a risk because it was present in a Salesforce subdomain.

“The vulnerability was not present in ‘login.salesforce.com,’ but in another subdomain of Salesforce. However, since the primary domain is ‘salesforce.com,’ this trust can be exploited through phishing attacks by tricking users into providing their legitimate credentials,” Sood said.

Sood said that Salesforce accounts for its applications use SSO for authentication, extending the threat even to accounts used with cloud-based applications.

“This subdomain was vulnerable to a reflected cross-site scripting (XSS) vulnerability where a specific function in the deployed application failed to sanitize and filter the arbitrary input passed by the remote user as a part of an HTTP request,” Sood said. “As a result, the attacker could have executed JavaScript in the context of the application, thereby impacting the privacy and security of Salesforce users.”

To carry out a phishing attack, a hacker would need to create a popup mimicking the Salesforce login and remotely inject the JavaScript. From there, the victim would enter their legitimate Salesforce credentials that are then sent to the attacker’s web server.

Cross-site scripting attacks (XSS) happen when malicious script is injected into a Website or Web-based application, and is a perennial web application security issue on the OWASP Top 10 list. Generally, an attacker will inject malicious script into GET request or it’s included in dynamic content. Usually XSS is enabled because a Web app fails to validate the input.

Suggested articles