Salesforce has reported that hackers are using a modified version of the open-source tool AuraInspector to scan for and exploit misconfigured Experience Cloud sites. By targeting overly permissive guest user settings, these attackers can bypass standard restrictions to scrape sensitive data from public-facing profiles.
The security alert highlights a trend of attackers leveraging specialized tools to probe for administrative oversights in cloud environments. Originally developed to help security teams find vulnerabilities, a customized version of AuraInspector is now being used to automate the extraction of data from Salesforce sites. This activity relies on identifying sites where guest user profiles have been granted broad permissions, allowing unauthenticated actors to access internal records that should remain private.
This method of data theft does not stem from a flaw in the Salesforce platform itself but rather from how individual organizations set up their guest access. Experience Cloud sites typically allow anonymous users to view basic information like FAQs, but if the guest profile is not restricted, it can serve as a doorway to CRM objects. The attack succeeds only when customers have failed to follow recommended security hardening guidelines, leaving their public endpoints exposed to direct queries.
Salesforce has linked this campaign to a known threat group, noting that the tactics align with identity-based targeting. Groups like ShinyHunters have previously demonstrated a focus on these environments to harvest contact details for secondary attacks. The information gathered during these scans, such as employee names and phone numbers, is frequently repurposed for sophisticated social engineering or voice phishing schemes aimed at further infiltrating the target company.
To mitigate these risks, organizations are urged to audit their Experience Cloud configurations immediately. Primary defenses include setting default external access for all objects to private and disabling guest user access to public APIs. Restricting visibility settings is also crucial to prevent attackers from mapping out internal organization members. Monitoring system logs for unusual or high-volume queries can provide early warning of an ongoing scan.
Ultimately, this surge in activity reflects a broader shift toward exploiting legitimate tools and configuration errors rather than software bugs. Salesforce emphasizes that maintaining a secure posture requires a proactive approach to identity management and constant vigilance over public-facing permissions. By enforcing the principle of least privilege for guest users, companies can close the gap that these customized scanning tools are designed to exploit.
Source: Threat Actors Mass-Scan Salesforce Experience Cloud Using AuraInspector Tool