Salesforce Fixes Major Marketing Cloud Security Flaws

Salesforce Fixes Major Marketing Cloud Security Flaws

Posted on By CWS

Security vulnerabilities within Salesforce Marketing Cloud (SFMC) were discovered that could have potentially exposed private email data of millions from numerous organizations. These issues have since been resolved.

Vulnerability Details and Impact

The root of the problem lay in the platform’s scripting features and outdated encryption protocols. These weaknesses allowed unauthorized access to email communications across the entire platform.

Salesforce Marketing Cloud, previously known as ExactTarget, is a leading email marketing solution, utilized by industries such as aviation, finance, and technology. Its extensive use among Fortune 500 companies highlighted its potential as a target for data breaches.

Discovery and Resolution

Researchers from Searchlight Cyber identified the vulnerabilities, focusing on template injection issues and a flawed encryption method used in email viewing links. These flaws exposed organizations to significant data risks.

With a shared infrastructure and single static key, a breach in one account could compromise data across all accounts. The attack included executing scripts through user inputs during email sign-ups.

Steps Taken by Salesforce

Salesforce’s efforts to address these issues included disabling problematic script evaluations and implementing tighter encryption controls. The company has issued new CVE identifiers for the vulnerabilities and upgraded their encryption methods.

By replacing the insecure XOR cipher with AES-GCM encryption, Salesforce has significantly reduced the risk of unauthorized access. All email links were regenerated to comply with the new security standards.

Future Precautions for Organizations

Organizations utilizing SFMC are advised to review and update their email templates, scrutinize user inputs, and ensure links are secure under the new encryption scheme. This proactive approach is vital for maintaining data integrity.

For more updates on this and other cybersecurity news, follow us on Google News, LinkedIn, and X. Ensure you set CSN as a preferred source in Google for instant updates.

Cyber Security News Tags:, , , , , , , , , , , , , ,

Related Posts

Urgent Security Updates Issued for Apache Tomcat Vulnerabilities Urgent Security Updates Issued for Apache Tomcat Vulnerabilities Cyber Security News
APT Hackers Attacking Indian Government Using GOGITTER tool and GITSHELLPAD Malware APT Hackers Attacking Indian Government Using GOGITTER tool and GITSHELLPAD Malware Cyber Security News
Nimbus Manticore Attacking Defense and Telecom Sectors With New Malware Nimbus Manticore Attacking Defense and Telecom Sectors With New Malware Cyber Security News
Hacktivist Groups Attacks on Critical ICS Systems to Steal Sensitive Data Hacktivist Groups Attacks on Critical ICS Systems to Steal Sensitive Data Cyber Security News
Hackers Deliver SSH-Tor Backdoor Via Weaponized Military Documents in ZIP Files Hackers Deliver SSH-Tor Backdoor Via Weaponized Military Documents in ZIP Files Cyber Security News
Achieving Continuous Compliance in Dynamic Threat Environments Achieving Continuous Compliance in Dynamic Threat Environments Cyber Security News