Salesforce Experience Cloud Mass-Scanning via Modified AuraInspector

Salesforce recently issued a warning regarding an increase in malicious scanning activity targeting Experience Cloud sites. According to The Hacker News, threat actors are utilizing a modified version of the open-source AuraInspector tool to identify and exploit misconfigured guest user permissions. This activity allows unauthorized individuals to access sensitive records, including personally identifiable information (PII) and internal organizational data, without requiring valid credentials.

Technical Analysis of Experience Cloud Vulnerabilities

Experience Cloud sites utilize the Salesforce Aura framework to deliver dynamic web content and interactive components. The AuraInspector tool was originally developed as a browser extension to help developers debug these components by inspecting the state of the Aura framework in real-time. However, by modifying the tool, attackers can automate the process of querying Aura-enabled controllers. This allows them to discover which objects and fields are accessible to unauthenticated “guest” users without needing a specific CVE exploit.

The primary issue lies in the configuration of the Guest User Profile. While Salesforce has implemented several security defaults in recent years to restrict guest access, legacy configurations or manually adjusted permissions can still leave sensitive objects exposed. The attackers’ TTP involves mass-scanning for endpoints where the aura endpoint returns data for queries that should be restricted by the organization’s sharing rules.

Analyzing Salesforce Experience Cloud Guest User Permissions Audit Needs

For organizations utilizing these portals, a Salesforce Experience Cloud guest user permissions audit is a high-priority task. The misconfiguration often stems from the “View All Data” permission or specific object-level permissions being granted to the Guest User Profile during the initial development phase and never revoked. Because Experience Cloud sites are designed for public interaction, the boundary between public and private data is often thin. Attackers exploit this by systematically testing different object names via the modified AuraInspector to see which ones return a successful JSON response.

Detection and Identification of Scanning Activity

SOC teams can identify potential threats by monitoring for unusual traffic patterns directed at the /s/sfsites/aura endpoint. Knowing how to detect AuraInspector mass scanning requires looking for a high volume of POST requests to this endpoint originating from a single IP address or a distributed botnet. These requests often contain signatures associated with the Aura framework’s controller actions, specifically those that query records or list object metadata.

If an IoC is identified, such as an IP address performing thousands of requests against specific Aura controllers in a short window, it indicates an active reconnaissance phase. Organizations should integrate these logs into their SIEM to generate alerts when unauthenticated users attempt to access non-public object controllers. This proactive monitoring is essential for preventing the exfiltration of customer records that could be used for Phishing or further Lateral Movement within the corporate environment.

Remediation and Risk Management

The most effective Salesforce Experience Cloud data exposure mitigation strategy involves the strict application of the principle of least privilege. Salesforce administrators must ensure that “Secure guest user record access” is enabled in the organization’s sharing settings. This setting enforces a private sharing model for guest users, requiring the use of Guest User Sharing Rules to grant specific access rather than relying on profile-level permissions.

Recommended actions for defenders include:

• Review the Guest User Profile for every Experience Cloud site to ensure no sensitive objects have “Read” or “Create” permissions.
• Enable the “Secure guest user record access” setting in Sharing Settings.
• Disable API access for guest users unless the site specifically requires it for legitimate functionality.
• Utilize the Salesforce Health Check and the Guest User Access Report to identify high-risk settings.

By taking these steps, organizations can protect against the unauthorized data harvesting facilitated by tools like the modified AuraInspector and ensure their public-facing portals do not become a gateway for broader data breaches.