Salesforce.com has patched a vulnerability on one of its subdomains that exposed users to account takeover, phishing attacks and the installation of malicious code.
The vulnerability was disclosed yesterday by researcher Aditya K. Sood of Elastica Cloud Threat Labs.
Sood said admin.salesforce.com was vulnerable to a cross-site scripting attack that has since been patched after it was reported more than a month ago. Salesforce, Sood wrote in a blogpost, said the vulnerability posed less of a risk because it was present in a Salesforce subdomain.
“The vulnerability was not present in ‘login.salesforce.com,’ but in another subdomain of Salesforce. However, since the primary domain is ‘salesforce.com,’ this trust can be exploited through phishing attacks by tricking users into providing their legitimate credentials,” Sood said.
Sood said that Salesforce accounts for its applications use SSO for authentication, extending the threat even to accounts used with cloud-based applications.
Cross-site scripting attacks (XSS) happen when malicious script is injected into a Website or Web-based application, and is a perennial web application security issue on the OWASP Top 10 list. Generally, an attacker will inject malicious script into GET request or it’s included in dynamic content. Usually XSS is enabled because a Web app fails to validate the input.