VIDEO: Elastica discovers major vulnerability in Salesforce cloud CRM app

By Byron V. Acohido

Cloud application security start-up Elastica should be commended for alerting Salesforce privately about a notable flaw Elastica researchers discovered in one of the subdomains of the official Salesforce website.

Elastica gave Salesforce the heads-up last month, and waited until the CRM giant readied a patch before going public with its finding Wednesday.

Elastica researchers unearthed a cross-site scripting (XSS) vulnerability in admin.salesforce.com, a subdomain used by Salesforce administrators.

Had criminal hackers beat Elastica to the punch, they could have moved to exploit a huge vector of attack. Thousands of companies, many of them small and mid-size organizations that subscribe to Salesforce, would have been exposed.

Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends

An attacker would have been able to execute phishing attacks from inside Salesforce and harvest users’ credentials, with a good chance of eluding spam filters and anti-phishing solutions.

But there is a larger lesson here. Business software can be riddled with flaws like this one, waiting to be discovered. Depending on who finds these so-called zero-day vulnerabilities first, either patching or exploitation can be expected to eventually follow. ThirdCertainty asked Aditya K. Sood, lead architect of Elastica Cloud Threat Labs, to outline the wider context.

3C: Can you characterize how pervasive these types of latent, but as yet undiscovered, vulnerabilities are in business software?

Sood: Any public-facing application is susceptible to an attack. It is difficult to say how many business applications are, but developers can make mistakes, which could result in vulnerabilities. For that reason, we require security assessments of business applications before they are deployed in production environments.

3C: How effective are bounty programs in keeping these types of vulnerabilities mitigated?

Sood: Bug bounties motivate researchers to disclose vulnerabilities to the vendors in a responsible fashion and, in return, researchers get rewarded for their efforts. It definitely helps to build positive relationships with security researchers. It is a very cost-effective way for organizations to get their publicly facing products tested by talented researchers. It’s a form of crowd-sourced security testing.

More: Business is booming for bug bounty hunters

3C: To what extent are bad-guy researchers proactively looking for these same types of vulnerabilities?

Sood: The attackers are continuously hunting vulnerabilities as it highly rewarding. By exploiting a single vulnerability, attackers can target a large number of users in one go and reap desired outcomes. Exploitation of one high-risk vulnerability in an application of a known vendor can cause significant damage to the brand value and result in business losses.

3C: Given complexities attendant to cloud and mobile computing, should we expect the bad guys to routinely find and exploit vulnerabilities like these before the good guys get there?

Sood: Considering the present state of cyber crime and online fraud, exploitation and hunting of vulnerabilities should be treated as an arms race. Cloud applications will become more frequent targets of attackers as usage increases, but this should not overrule the effectiveness of cloud applications. Businesses will have to add one more layer of security to strengthen their cloud infrastructure.

3C: What would you say is the big takeaway for small and mid-size businesses?

Sood: For securing cloud applications, SMBs require dedicated cloud security monitoring, detection and prevention solutions to detect cloud-specific threats.

Employees should be educated about the perils of phishing attacks and how to opt for safe surfing habits to avoid leaking sensitive information, such as credentials, through unauthorized channels.

Two-factor authentication (TFA) should be enforced as a compliance and security policy so that every employee uses TFA as a second channel of authentication. Security controls can be enforced on end-user devices such as prohibiting users from accessing applications without TFA.

More on phishing and other security threats:
Managed security services help SMBs take aim at security threats
ZapFraud fights back at email scammers, phishers
The most-trusted brands are often phishers favorite prey

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone