Salesforce plugs silly website XSS hole, hopes nobody spotted it

Web development 101: Thou shalt stop thy users from inputting JavaScript

Marc Benioff of Salesforce. Pic: Techcrunch
Salesforce COE Marc Benioff, who is not vulnerable to JavaScript or XSS vulns

A cross-site scripting (XSS) vulnerability on Salesforce's website might have been abused to pimp phishing attacks or hijack user accounts. Fortunately the bug has been resolved, apparently before it caused any harm.

Cloud app and security firm Elastica said the issue affected a Salesforce sub-domain –

admin.salesforce.com

– and came from a failure to sanitise user-submitted inputs.

The oversight means that miscreants are able to push JavaScript through a newsletter sign-up box that ought to only accept email addresses.

This JavaScript might have been harnessed to steal cookies and session identifiers, creating a possible account hijack risk. More straightforwardly, an attacker might have abused the security weakness to inject pop-up windows in users' browsers or otherwise redirected Salesforce users towards phishing sites.

The security flaw might also created a mechanism to sling malicious scripts, according to Elastica.

The vulnerability was not present in

login.salesforce.com

but in another subdomain of Salesforce, meaning it posed a lesser risk. Elastica notified Salesforce about the problem around a month ago before going public with the issue after it was resolved.

Cross-site scripting errors, along with SQL injection flaws, habitually hog the top of charts logging the most common classes of web development security slip-ups.

A Salesforce spokesman said: "At Salesforce, trust is our #1 value. We investigated and remediated a minor vulnerability impacting the blog site "admin.salesforce.com", which is not connected to the Salesforce application or customer data. We have no evidence of impact to Salesforce customers or their data."

Commentary on the now resolved security bug on Salesforce's website can be found in a blog post by security tools firm Tripwire here. ®




Biting the hand that feeds IT © 1998–2018