A configuration issue is causing Salesforce Community sites, including those of banks and healthcare companies, to leak data.

KrebsOnSecurity first reported on an issue that was discovered by security researcher Charan Akiri, who wrote a program to find vulnerable Salesforce sites.

Salesforce Community is a product that makes it easy for companies to set up a website. As Krebs points out, websites can be set up to require authentication or allow guest access. In many cases, however, administrators are mistakenly giving guest users access to information that should require authorization.

“My team is frustrated by the permissive nature of the platform,” said Scott Carbee, Vermont’s Chief Information Security Officer.

Carbee says the pandemic, and the hurried nature of suddenly setting up plethora of online services, exacerbated the problem.

“During the pandemic, we were largely standing up tons of applications, and let’s just say a lot of them didn’t have the full benefit of our dev/ops process,” Carbee said. “In our case, we didn’t have any native Salesforce developers when we had to suddenly stand up all these sites.”

Unfortunately, Vermont is not alone in dealing with the issue. Akiri told Krebs that he found hundreds of organizations with misconfigured Salesforce Community sites that were leaking data. That number is by no means the full scope of the problem, as Akira has been reluctant to delve further as a result of the response he has received.

“In January and February 2023, I contacted government organizations and several companies, but I did not receive any response from these organizations,” Akiri said. “To address the issue further, I reached out to several CISOs on LinkedIn and Twitter. As a result, five companies eventually fixed the problem. Unfortunately, I did not receive any responses from government organizations.”

Salesforce says the issue is not a vulnerability but the result of a misconfiguration.

“As previously communicated to all Experience Site and Sites customers, we recommend utilizing the Guest User Access Report Package to assist in reviewing access control permissions for unauthenticated users,” reads a Salesforce advisory that was released in September 2022. “Additionally, we suggest reviewing the following Help article, Best Practices and Considerations When Configuring the Guest User Profile.”

Administrators responsible for Salesforce Community sites should read Krebs’ report in its entirety and ensure their sites are configured properly.