Salesforce.com Sub-domain Vulnerability Detected, Security Patch Issued

A security flaw of the script-injection type within renowned cloud Customer Relation Management (CRM), Salesforce is capable of exposing Web-surfers to phishing assaults wherein the electronic mails seem as arriving from one trustworthy source.

Elastica the specialist on Cloud application protection recently published the flaw's details that were notified to Salesforce during H1-July and that created scope for attackers towards utilizing one trustworthy Salesforce software base from where to execute spoofed e-mail assaults for capturing end-users' login details followed with compromising accounts.

Although the threat was regarded as affecting passively since it occurred within certain sub-domain instead of within Salesforce's key domain, nevertheless, the flaw was patched August 10, 2015, thanks to Salesforce.

Frighteningly, attackers exploiting the vulnerability could run JavaScript for grabbing session identifiers and cookies that could result in loss of Salesforce account to attackers but with what SOP (Same Origin Policy) existed. The miscreants could compel Salesforce consumers for going to phishing websites for extracting credentials as well as thrust pop-up windows for enabling fraudulent, phishing e-mail assaults, alternatively compel them to take down malware onto their PCs via execution of illegitimate scripts pertaining to the Web-browser executing any attack-prone software.

Lead Architect Aditya Sood of the Cloud Threat Laboratory of Elastica says abusing XSS flaws is a highly prevalent methodology for penetrating Web application. Thewhir.com published this, August 12, 2015.

Sood continues, albeit the vulnerability in discussion existed solely within certain sub-domain of Salesforce, attackers by piggy-backing on the Salesforce key domain's trust could without difficulty execute phishing assaults for acquiring admission into users' credentials. Such filched user-details could subsequently let the attackers get hold of those people's accounts followed with exfiltrating their critical information.

The bottom line- organizations must issue patches immediately on knowing about such security flaws.

They must enforce security strategy that's multi-dimensional while certainly educate their
staff regarding safe surfing activities too along with what risks phishing assaults generate for users, Sood adds. Toptechnews.com published this, August 12, 2015.

Sood notes that organizations must in addition implement security controls on every device of end-users, including those that enable them accessibility of their computers, which mandate dual-factor validation.

» SPAMfighter News - 8/17/2015