Misconfigured Custom Salesforce Apps Expose Corporate Data

Enterprises typically use the Java-like programming language to customize their Salesforce instances, but attackers are hunting for vulnerabilities in the apps.

A new security advisory warns Salesforce users with customized instances to check for common programming errors and misconfigurations that can expose their sales data.
At the heart of the problem is the Apex programming language, a Java-like tool that allows companies to add functionality to their Salesforce instances and developers to create apps for the Salesforce AppExchange marketplace. Simple errors and misconfigurations while using the tool, however, can result in vulnerabilities that undermine security of corporate Salesforce applications, security experts at data security firm Varonis say.
Varonis researchers discovered that multiple government organizations and companies had customized or added on features to their Salesforce Apex code that leaked data, allowed data corruption, or allowed an attacker to disrupt business functions. The at-risk data included sensitive information such as phone numbers, home addresses, and SSNs, but also credentials, such as usernames and passwords, says Nitay Bachrach, senior security researcher at Varonis, who conducted the assessment.
In some cases, the exploitation was very tricky and required techniques we developed in-house, and in others, it was a simple oversight — the guest user was just able to execute code for no reason, and that leaked sensitive data, he says. Under the shared responsibility model, users can choose to write code, but theyre also responsible for making sure it is secure. Salesforce is not responsible for Apex code ... uploaded by the users to their Salesforce instances.
Varonis is the latest security firm to
warn of common misconfigurations
in Salesforce sites and applications, which often have run with lax permissions. The combination of the lack of security review of custom Apex code used in internal Salesforce instances and other components such as Lightning Communities has led to vulnerable sites and cloud applications, SaaS security firm AppOmni
stated in a research paper in 2021
.
In 2023, security researcher Charan Akiri, now at Reddit, discovered that Salesforce Apex
misconfigurations allowed data to be accessed on more than 100 websites
belonging to government agencies and large companies, such as banks and hospitals.
The problem is likely widespread because the platform makes it easy to exceed permissions, says Brian Soby, chief technology officer and co-founder of AppOmni, who worked in product security at Salesforce for more than five years.
By default, Apex can access any data and it doesnt matter if the calling user is allowed to access that data, he says. So you can have a very limited user call into a VisualForce page or an Apex ... and they could ask [for] data that they cant get themselves, all because the Apex is running with heightened permissions.
At the heart of the Apex issues is whether a developer designates an Apex class as with sharing or without sharing. Confusingly, the without sharing designation is the more dangerous of the two, allowing the Apex code to ignore the users permission, change any record, and commit those changes, Varonis stated in its advisory.
Apex classes that run without sharing — ignoring the users permissions — are a powerful and important capability often required for proper functionality, the advisory stated. However, with great power comes great responsibility. This mode increases risk and should be used carefully, especially when assigned to guest or external users.
When without sharing is set, the service is vulnerable to insecure direct object references (IDOR) — often referred to as Broken Object Level Authorization (BOLA) flaws. In 2023, the Open Worldwide Application Security Project (OWASP)
released an updated top-10 list of API security issues
that listed IDOR as the top risk for APIs. The without sharing attribute also allows more traditional flaws, such as database injection attacks, through the Apex code.
While Salesforce did not directly comment on the Varonis research, the company did stress that security is a top issue. In August 2023, the company
released the top-20 issues
that it discovered through its security scans of Apex apps published to its AppExchange marketplace. Sharing violations ranked No. 3 on the list.
Nothing is more important to us than the security of customer data, a Salesforce spokesperson said in a statement provided to Dark Reading. In addition to our secure coding guidelines, which walk customers through common security issues Salesforce has identified while auditing applications built on or integrated with the Lightning Platform, we offer [several] services for
securing applications and data
, the spokesperson said.
Varonis recommends that Salesforce developers avoid the without sharing configuration when possible, to check all user-supplied inputs, and take care when allowing guest users and external users any access to Apex classes.
Conducting a security assessment of all custom and third-party Apex software is critical, says Varoniss Bachrach.
We recommend securing all Apex classes, but would prioritize those that can be run by guest users, followed by those that can be run by external actors such as customers or partners, he says. Organizations need to follow best practices but also to keep track of access. They should keep the principle of least privilege in mind while writing the code, and while managing access to the Apex classes.
Companies need to make sure that their developers are trained in how to securely create and manage Salesforce applications and instances, and enforce good security behavior, says AppOmnis Soby. He has seen companies send links to specific pages that require no special permissions, giving them — theoretically — a launching pad for attacks.
Salesforce didnt set it up this way by default — this is the customer absolutely shooting themselves in the foot, because either they didnt know what they were doing, or they didnt understand the ramifications of what is, fairly, a very complicated configuration process, he says. Or theyre like, Were just gonna take the shortcut, and maybe nobody will notice, and then meanwhile, some script kiddie runs code that they found on GitHub and sucks down your whole sales forecast.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Misconfigured Custom Salesforce Apps Expose Corporate Data