Salesforce disclosed a vulnerability that existed in its Marketing Cloud service and that affected companies using...
the Email Studio and Predictive Intelligence modules. The vulnerability existed in the REST API and enabled calls to the API that could have disclosed data from other customers' accounts.
This was a proactive alert from Salesforce, which discovered the issue and has no evidence that the issue was exploited, but the company could not say with confidence that it had not. The issue was potentially exploitable for just over a month.
Depending on the complexity of the issue, there is a strong chance that it was used maliciously, but the issue has now been fixed. However, this vulnerability demonstrated possible issues that companies face when hosting sensitive data in the cloud.
What caused the cloud API vulnerability?
Errors in web application or API coding often lead to this type of cloud API vulnerability, which is usually the result of an error in the authorization process.
When an application receives a request from a user's web browser or a call to an API, the request will often include variables that identify the customer. The implementation can vary, but it can be as simple as attackers accessing numeric IDs. However, there is no information about how Salesforce implemented its protections.
Sometimes, in cases where attackers access a simple numerical value assigned to a user, this can be easily manipulated to reveal another user's information or even update their details. This is a very common error with web applications.
Although there is no evidence that data has been exposed by this cloud API vulnerability, it does raise concerns about entrusting sensitive data with cloud providers. The big-name providers, such as Salesforce, are able to invest significantly in security, but they are also much larger targets and attractive to hackers due to the volume and sensitivity of the data they store.
What mitigation strategies are there?
No organization is immune from hacking attacks. Unfortunately, there is not a lot that Salesforce or other cloud provider customers can do.
There are ways for cloud providers to directly monitor the API for vulnerabilities, but many of the processes will be invisible to the end client. Customers have to rely on the security processes of the cloud provider -- such as secure coding, regular penetration testing and protective monitoring -- to minimize the risk of this type of issue occurring and exposing data.
Overall, although this cloud API vulnerability could have proved significant had it not been discovered promptly, Salesforce was able to track how the issue occurred and how long it was potentially exploitable. This demonstrates that significant security vulnerabilities can occur even with large cloud providers, and customers should be aware of this when choosing whether to store their data in the cloud.