Salesforce plugs silly website XSS hole, hopes nobody spotted it
A cross-site scripting (XSS) vulnerability on Salesforce's website might have been abused to pimp phishing attacks or hijack user accounts. Fortunately the bug has been resolved, apparently before it caused any harm.
Cloud app and security firm Elastica said the issue affected a Salesforce sub-domain –
– and came from a failure to sanitise user-submitted inputs.
The security flaw might also created a mechanism to sling malicious scripts, according to Elastica.
The vulnerability was not present in
but in another subdomain of Salesforce, meaning it posed a lesser risk. Elastica notified Salesforce about the problem around a month ago before going public with the issue after it was resolved.
Cross-site scripting errors, along with SQL injection flaws, habitually hog the top of charts logging the most common classes of web development security slip-ups.
A Salesforce spokesman said: "At Salesforce, trust is our #1 value. We investigated and remediated a minor vulnerability impacting the blog site "admin.salesforce.com", which is not connected to the Salesforce application or customer data. We have no evidence of impact to Salesforce customers or their data."
Commentary on the now resolved security bug on Salesforce's website can be found in a blog post by security tools firm Tripwire here. ®