Salesforce Fixes Major Marketing Cloud Security Flaws

Salesforce Fixes Major Marketing Cloud Security Flaws

Posted on By CWS

Security vulnerabilities within Salesforce Marketing Cloud (SFMC) were discovered that could have potentially exposed private email data of millions from numerous organizations. These issues have since been resolved.

Vulnerability Details and Impact

The root of the problem lay in the platform’s scripting features and outdated encryption protocols. These weaknesses allowed unauthorized access to email communications across the entire platform.

Salesforce Marketing Cloud, previously known as ExactTarget, is a leading email marketing solution, utilized by industries such as aviation, finance, and technology. Its extensive use among Fortune 500 companies highlighted its potential as a target for data breaches.

Discovery and Resolution

Researchers from Searchlight Cyber identified the vulnerabilities, focusing on template injection issues and a flawed encryption method used in email viewing links. These flaws exposed organizations to significant data risks.

With a shared infrastructure and single static key, a breach in one account could compromise data across all accounts. The attack included executing scripts through user inputs during email sign-ups.

Steps Taken by Salesforce

Salesforce’s efforts to address these issues included disabling problematic script evaluations and implementing tighter encryption controls. The company has issued new CVE identifiers for the vulnerabilities and upgraded their encryption methods.

By replacing the insecure XOR cipher with AES-GCM encryption, Salesforce has significantly reduced the risk of unauthorized access. All email links were regenerated to comply with the new security standards.

Future Precautions for Organizations

Organizations utilizing SFMC are advised to review and update their email templates, scrutinize user inputs, and ensure links are secure under the new encryption scheme. This proactive approach is vital for maintaining data integrity.

For more updates on this and other cybersecurity news, follow us on Google News, LinkedIn, and X. Ensure you set CSN as a preferred source in Google for instant updates.

Cyber Security News Tags:, , , , , , , , , , , , , ,

Related Posts

LexisNexis Breach Exposes Data from AWS Servers LexisNexis Breach Exposes Data from AWS Servers Cyber Security News
New Chinese Nexus APT Hackers Attacking Organizations to Deliver NET-STAR Malware Suite New Chinese Nexus APT Hackers Attacking Organizations to Deliver NET-STAR Malware Suite Cyber Security News
Monsta web-based FTP Remote Code Execution Vulnerability Exploited Monsta web-based FTP Remote Code Execution Vulnerability Exploited Cyber Security News
Threat Actors Weaponizes LNK Files to Deploy RedLoader Malware on Windows Systems Threat Actors Weaponizes LNK Files to Deploy RedLoader Malware on Windows Systems Cyber Security News
How SOC Teams Detect Can Detect Cyber Threats Quickly Using Threat Intelligence Feeds How SOC Teams Detect Can Detect Cyber Threats Quickly Using Threat Intelligence Feeds Cyber Security News
Two Americans Jailed for Assisting North Korean Cyber Operations Two Americans Jailed for Assisting North Korean Cyber Operations Cyber Security News