Developers: | Salesforce |
Last Release Date: | 2021/11/10 |
Technology: | CRM ^ SaaS - Software as a Service |
Content |
Main articles:
The main feature of the Salesforce.com is the principle of on-demand services, thanks to which users gain access to the system through the Internet. This allows you to significantly reduce the cost of IT, namely, the installation of additional software and the purchase of expensive server equipment.
In addition to the standard functions for marketing, sales, and service management, Salesforce CRM Enterprise Edition includes workflow automation and approvals processes. Thanks to this, it became possible to automate any business process in the company: control the territorial distribution of sales, interact with partners, and systematize communications with customers. Now owners of suburban real estate can easily receive any information of interest to them. Thanks to a single database, managers will be able to quickly process any request from the client.
In turn, Salesforce.com Mobile allows you to work with Salesforce through mobile devices on the iPhone, Blackberry and Windows Mobile platforms.
2021
Address the vulnerability that allows participation in confidential incognito meetings
Varonis On November 10, 2021, the company announced the discovery of a vulnerability in the Salesforce platform. Because of it, organizations that simultaneously use the Salesforce Communities and Einstein Activity Capture services could unknowingly open access to calendar records Outlook or Google their administrators.
The identified vulnerability was called the "Mole Hole." It allows unauthorized persons access to the calendar records of system administrators, which may contain confidential: information, personal data emails, URL addresses and access codes to online conferences, the content of their agendas, attached. files Possessing these, data the attacker was able to participate in confidential incognito meetings. In addition, such information could be used to conduct targeted or phishing attacks compromised data.
Varonis experts reported the discovery of the vulnerability of Salesforce, and it has already taken measures to eliminate it.
However, those organizations whose Salesforce communities were created before the summer of 2021 need to immediately take a number of measures:
- Change the guest email address in your account data from valid to fictitious.
- Remove important entries from calendars that the Einstein Activity Capture plugin associated with a guest user.
Einstein Activity Capture (EAC) is a tool that allows you to integrate data from Microsoft Exchange or Google and Salesforce user accounts in a single Salesforce console. One of the features of this plugin is the automatic synchronization of events in user calendars. It occurs when the EAC determines in the generated event record a mention of users with matching email addresses.
"Guest" user accounts were created in Salesforce with an administrator email address until the release of the next platform release in the summer of 2021. And, if they were mentioned in the calendar record of the meeting, then EAC automatically added it to the calendar of the guest account. As a result, through it, access to it turned out to be open to all users with guest rights.
According to Varonis analysts, such incorrect configurations and minor vulnerabilities will occur more and more often. The interconnection of various SaaS services, as well as the amount of data transferred between them, increases risks and complicates the management of SaaS infrastructures.
Risks of data theft with incorrect Salesforce configuration
Varonis On August 16, 2021, the company published a report on the risks cyber security that arise in companies when the CRM system is incorrectly configured, in Salesforce particular, the Salesforce Community workspace.
The Salesforce workspace allows customers and partners of the company to work remotely in Salesforce: open support requests, ask questions, manage subscriptions and much more. However, the incorrect configuration of the workspace can lead to the fact that confidential data will become available to Internet users, and anonymous users will be able to request confidential information: customer lists, support calls, employee email addresses.
With such data, attackers can not only use it for intelligence as part of a phishing campaign, but also steal confidential information about the company, its activities, customers and partners. Sometimes fraudsters are able to get information from other services integrated with the Salesforce account.
Varonis analysts have discovered many public Salesforce workspaces that are incorrectly configured and disclose sensitive information. To prevent potential risks of data loss, the Varonis team highlights 4 key recommendations for configuring Salesforce Community.
- Auditing guest access rights. Make sure that the permissions of the guest profile do not disclose what you do not need to disclose (accounts, employee calendars)
- Disable API access for guest profile
- Assigning a "default owner" to records created by guest users
- Activating Secure Guest Access
Workspaces are public and are indexed by Google by default. Although this is convenient for customers and partners, it makes it easier for attackers who have discovered a vulnerability or misconfiguration to search for workspaces and abuse the data obtained from them, Varonis emphasized.[1]
2020: Integration with the Mango Office PBX
On January 15, 2020, Mango Office announced that the MANGO OFFICE virtual PBX tool can now be used on the Salesforce CRM platform as an integrated phone call solution. More details here.
2016: No support for most Android devices
In July 2016, it became known that the company Salesforce.com decided to abandon support for most Android-based devices in its products. The reason for this was the high fragmentation of the operating system.
According to the IT edition of Re/code, in 2016 an updated version of the Salesforce1 application will be released, which will be compatible only with Google Nexus smartphones (Nexus 5X and Nexus 6P models) and Samsung flagships, including the Galaxy S5, S6, S7 and Note 4. It is also planned to maintain support for Galaxy Note 10.1 and Tab A 9.7 tablets. In the future, this innovation will concern other products of the manufacturer.
Due to the wide range of Android devices available, we decided to support only certain of them in order to continue to improve the capabilities of Salesforce1 for Android, the product support document says. |
The company itself confirmed to the portal the correctness of the information published in this document, and noted their desire to maximize resources for program development. They refrained from further comments in the Salesforce.com.
By abandoning the compatibility of its products with most Android electronics, Salesforce.com will provide Samsung, which is already the leader in the global smartphone market, an additional impetus in promoting its devices in the corporate market.
The problem of fragmentation Android appeared a long time ago. Because of it, the release of software updates for devices of different manufacturers is delayed - sometimes for many months after the release of the next version of the platform. This complicates the work of developers who are forced to optimize their applications for several OS modifications at once.
According to Google statistics, by May 2016 the world has devices running the following versions of Android: Marshmallow 6.0 (7.5% of the total), Lollipop 5.0-5.1 (35.6%), KitKat (32.5%), Jelly Bean 4.1-4.3 (20.1%), Ice Cream Sandwich 4.03-4.04 (2%), Gingerbread (2.2%) and Froyo (0.1%).
Apple's mobile OS iOS also has a fragmentation problem, but it is not so pronounced. By March 2016, the latest platform modification was installed 79% of Apple mobile devices. At the same time, Salesforce.com also removed support for smartphones iPhone 5 and 5C from its products.[2]
2015: Salesforce App for Outlook
In March 2015, Microsoft and Salesforce introduced the Salesforce App for Outlook application, which allows users of Outlook and Office 365 to work simultaneously with both mail and contacts. When a seller receives an email from their customer, they can access all the information they need without having to interrupt Outlook.
The product is available free of charge as part of the Salesforces Enterprise Edition and is based entirely on cloud computing, so you do not need to install any software. The application is compatible with Outlook 2013, Office 365, Outlook for Mac, and Outlook Web App (OWA).