If you use Salesforce Aura Communities then there is an issue that can let users see data that they possibly should not see. Sometimes, due to a misconfiguration by the Salesforce Administrator, the user can see ALL the Contact records in the system. There is a workaround for this and I will explain that at the end of this post.
Firstly a quick explanation before we get to the meat of the issue — Aura Communities are just one type of community in Salesforce, there are VisualForce communities as well as the newer Lightning Web Runtime Communities. The majority of communities out there are Aura communities.
In August 2022, I found an issue with my customer’s Salesforce Aura Community. With a simple URL hack, I could get access to the standard Salesforce UI, I had bypassed the custom community UI that my customer had created. This meant that I could see all the data that my profile and permission sets allowed.
That doesn’t sound bad does it? However there is a nuance, in Salesforce Aura communities you can control the data that is shown by only giving access to the data that you want your customer or partner to see via the Aura pages you build and thereby you are lulled into a false sense of security that the user can only see the data on those pages…
And if you have misconfigured your sharing settings and set the External Sharing setting to Public Read (or Public Read/Write), then the user can see ALL the data in that object… That is a recipe for a data breach, and one I have found four (update Dec 9 2023 — six) times while doing security assessments for my customers.
Salesforce provides a free tool — the Salesforce Optimizer, which is in the Setup area of each org which will highlight which objects have the external sharing set to public. Also the Portal Health Check in the Setup area will show sharing issues.
Krebs on Security published an article as I was drafting this blog highlighting Salesforce Community security issues for the Guest user. I am not sure what the method they used for the leaks mentioned there, however my guess it is similar to the issue I found. As mentioned in the Krebs article, there is a free AppExchange app called the Guest User Access Report which will show if there is any misconfiguration of your Guest user.
I use both the Optimizer as well as the Portal Health Check and the Guest User Access Report in my assessments.
I raised the issue in a case with Salesforce in August 2022 which was eventually closed in April 2023 with “this is not a bug” which I can see as you are only seeing data that your profile/permission set(s) allow, however I believe it is still a compromise and should be fixed.
So, how do you do the simple hack? Just log into the Aura community and change the /s/ and anything after it in the URL to /003 and hit Enter. This will take you to a standard Salesforce list view and from there you can go anywhere your object access permissions allow.
The fix is to use the URL Redirects feature to redirect the /003 to / and thereby stop the issue. You need to do this for all the object prefixes that exist in your org.
This is a brief explanation to keep this post short, however I have a detailed version of this on my website: https://www.platinum7.com.au/post/the-salesforce-communities-security-issue which includes how to get all the object prefixes in your org and step by step fix instructions.
Thanks for reading this and please fix your communities as soon as possible. Also please upvote my idea to get this fixed properly.