If your organisation uses Salesforce Communities and Einstein Activity Capture, you might have unknowingly exposed your administrator’s Outlook or Google calendar events to the internet due to a bug called Einstein’s Wormhole discovered by the Varonis research team.
Exposed calendar events can contain highly sensitive contents such as attendee names and emails, meeting URLs and passwords, agendas, file attachments, and email replies sent to the organiser.
The issue was reported to Salesforce and their talented and extremely responsive team quickly fixed the bug. However, if your Salesforce Community was created prior to Summer 2021, you must remediate exposed calendar events.
Steps to take immediately:
- Change your guest user’s email to a dummy email (e.g., test@example.com or guest@yourcompany.com)
- Remove sensitive calendar events that Einstein associated with your guest user
Mitigation
Salesforce fixed the bug so that all new Community sites will not associate the guest user with a real user’s email address. If your Community was created before June 2021, it is recommend you change the guest user’s email for all your Community sites to a dummy email that isn’t associated with a real user’s calendar.
The biggest takeaway from this research is that SaaS risk increases as services become interconnected. In this case, two seemingly disconnected features are tied together in an unexpected and undesired way. These small misconfigurations or minor vulnerabilities can have disastrous consequences.
In addition, it’s crucial for enterprises to understand the shared responsibility model when working with SaaS providers. SaaS applications are mainly secure; however, once an enterprise puts data into these SaaS applications, it’s the enterprise’s responsibility to protect the data.
It’s critical for organisations to understand their SaaS landscape and how products affect one another. Think about creating something akin to a network topology diagram for your SaaS products to paint a clear picture of how data flows from one app to the next.
Consider using a cloud security product to visualise exactly what a user (even a guest user!) has access to across all your different SaaS apps, classify sensitive data, and monitor behaviour for anomalies.
