Overly permissive ‘guest’ settings put Salesforce customers at risk

Source: Overly permissive ‘guest’ settings put Salesforce customers at risk | CSO Online

Author: unknown

ONE SENTENCE SUMMARY:

Salesforce warns ShinyHunters is mass-scanning misconfigured Experience Cloud guest access to steal exposed CRM data for extortion.

Salesforce urged customers to review Experience Cloud “guest” configurations after active data-theft reports.
ShinyHunters claims breaches across hundreds of organizations, including 400 websites and 100 high-profile companies.
Campaign targets misconfigured public portals, not underlying Salesforce platform vulnerabilities.
Salesforce CSOC observed a known threat actor scanning public Experience Cloud sites at scale.
Attackers leverage a modified Aura Inspector tool to probe and extract accessible data.
Exploitation focuses on the “/s/sfsites/aura” API endpoint exposed by Experience Cloud sites.
Overly permissive guest profiles can allow direct querying of backend CRM objects without credentials.
Advisory highlights three risky conditions enabling unauthorized data access through guest profiles.
Salesforce environments attract attackers due to sensitive data and complex layered permission models.
Recommended mitigations include auditing guest permissions, limiting APIs, restricting object visibility, and least privilege.

Misconfiguration, especially guest access, can expose significant Salesforce data without any exploit.
Automated scanning tools make public Experience Cloud portals high-risk if permissions are lax.
Three controls matter most: guest permissions, private external defaults, and disabling public APIs.
Complex Salesforce access models and integrations increase accidental exposure and blast radius.
Hardening requires continuous auditing and strict least-privilege enforcement across portals and APIs.