Google's Mandiant releases free Salesforce access control checker

Google-owned security vendor Mandiant has released an open-source command line tool which aims to help organisations identify potentially catastrophic access control misconfigurations in their Salesforce environments.

Called AuraInspector, the tool automates detection of configuration errors that have been abused to expose sensitive customer data at dozens of high-profile organisations over the past two years, including credentials, health information and identity documents.

It scans Salesforce Aura framework implementations from an external perspective, and flags misconfigurations that could allow unauthorised users to access protected records.

Mandiant said that its Offensive Security Services unit frequently identifies misconfigurations in the Salesforce Experience Cloud, which has a complex permissions system.

These gaps in access control can go undetected until too late, allowing unauthorised users access to sensitive business data.

Mandiant used the Salesforce GraphQL application programming interface (API) to bypass the platform's regular 2000 record retrieval limit, a previously undisclosed technique.

The open source command-line tool from Mandiant automatically scans, simulating what unauthenticated users could access without credentials.

It automatically discovers Aura endpoints, retrieves lists of accessible Salesforce objects, and tests whether guest users have been granted excessive permissions to sensitive data such as Account, Contact and Lead records.

Furthermore, AuraInspector identifies Record List components that may allow unauthorised viewing or modification of records, discovers exposed administration panels for third-party modules.

The tool employs action bulking to efficiently test multiple configurations in single requests, reducing network overhead.

Salesforce recommends that administrators audit guest user permissions, to ensure the profiles have the least required privileges.

Reviewing sharing rules, and organisation-wide defaults to ensure that authenticated users only have access to records and objects that they explicitely have been granted permission for is also advised by Salesforce.

Other recommended steps by Salesforce include disabling self-registration to prevent unauthorised account creation, and AuraInspector can determine if this feature is enabled. 

AuraInspector is released on GitHub, and is not an officially supported Google product.

The public release of AuraInspector deliberately excludes data extraction capabilities to prevent misuse, limiting operations to read-only detection that does not modify target systems.