• by Ray Schultz , Columnist, 7 hours ago

A possible cybersecurity issue that could have allowed bad actors to access consumer data was resolved. 

Salesforce Marketing Cloud (SFMC) patched vulnerabilities that would have enabled hackers to read emails and subscriber data from a range of companies, including those in the Fortune 500. These gaps were discovered by security firm Searchlight Cyber.  

“Our security research team discovered a vulnerability in Salesforce Marketing Cloud that allowed us to leak PII (personally identifiable information) of subscribers, as well as emails sent through SFMC, without any authentication,” Searchlight Cyber posted. 

Salesforce was notified of the problem on Jan. 16 of this year and a remediation was in place by Jan. 24, Searchlight Cyber reports. 

“We are aware of the report by Searchlight Cyber and have remediated the issues identified,” said a Salesforce spokesperson in response to a query. “Based on our investigation to date, we have not identified any confirmed unauthorized access to or misuse of customer data related to this matter. We value the role of the security research community in identifying potential issues, and we appreciate Searchlight Cyber’s partnership as we continue to strengthen our security controls to protect customers.”

Salesforce Marketing Cloud is the former ExactTarget, a legacy technology firm acquired by Salesforce.

The main problem was email template injection. 

“Simply by signing up accounts with payloads in the name field we were able to find template injections in big players across almost every sector in the industry," including those in aviation, technology, energy and finance. 

The report cites AMPScript, a “fully featured programming language with loops, if statements, variables, and a whole function library.”  This tool allows firms to “template emails sent to each user in their contact list.”

Searchlight Cyber alleges that with AMPScript, it had found:

• A way to disclose the entire contacts DB, even blind.
• An unintuitive double evaluation in the subject line of emails. 

• A way to decrypt the encrypted query string in the most popular classic format. 
• A way to re-encrypt new parameters, leading to the leak of all sent emails and email data in the DB. 
• A way to do this cross-tenant, which allowed accessing of all emails ever sent by SFMC.

Good work by both Searchlight Cyber and Salesforce. 

The full blog post by Searchlight Cyber can be found here.