Beware of Ghost Sites: Silent Threat Lurking in Your Salesforce Communities

Improperly deactivated and abandoned Salesforce Sites and Communities (aka Experience Cloud) could pose severe risks to organizations, leading to unauthorized access to sensitive data.

Data security firm Varonis dubbed the abandoned, unprotected, and unmonitored resources “ghost sites.”

“When these Communities are no longer needed, though, they are often set aside but not deactivated,” Varonis Threat Labs researchers said in a new report shared with The Hacker News.

“Because these unused sites are not maintained, they aren’t tested against vulnerabilities, and Admins fail to update the site’s security measures according to newer guidelines.”

Varonis said it found many of these deactivated (but still active) sites still fetching new data, thereby allowing threat actors to extract data by manipulating the host header in the HTTP request.

Identifying the complete internal URLs associated with the sites is challenging but not impossible, as an adversary could leverage tools like SecurityTrails that track changes to DNS records.

Compounding the risk further is the fact that the obsolete sites lack the latest security protections, making them an ideal target for threat actors looking to siphon sensitive information.

“The exposed data is not restricted to only old data from when the site was in use; it also includes new records that were shared with the guest user, due to the sharing configuration in their Salesforce environment,” the researchers said.

To mitigate the threats associated with ghost sites, organizations are advised to keep track of all Salesforce sites and their respective users’ permissions. It’s also recommended to properly deactivate sites that are no longer in use.