salesforce

2 articles
sort: new top best
clear filter
bug-bounty432 google350 xss348 microsoft279 facebook245 apple171 exploit158 rce153 malware95 account-takeover94 cve87 csrf82 writeup78 bragging-post78 browser76 privilege-escalation66 react59 authentication-bypass57 cloudflare54 dos53 ssrf51 docker51 node49 aws47 access-control47 smart-contract45 phishing45 oauth45 ethereum43 defi42 supply-chain42 sql-injection41 web341 lfi37 idor34 smart-contract-vulnerability32 clickjacking31 web-application31 wordpress30 race-condition30 reverse-engineering30 info-disclosure29 vulnerability-disclosure29 cloud28 information-disclosure28 burp-suite28 solidity27 web-security27 cors26 responsible-disclosure26
0 5/10
Telus Digital confirms breach after hacker claims 1 petabyte data theft
breach-report

Telus Digital confirmed a breach by ShinyHunters who stole ~1 petabyte of data by leveraging GCP credentials exposed in the Salesloft Drift breach, then using trufflehog to discover additional credentials for lateral movement. The attack exposed customer support data, call records, source code, and financial information for 28+ companies using Telus' BPO services, with a $65M extortion demand.

data-breach cloud-security credential-theft lateral-movement extortion salesforce google-cloud-platform bpo-services voice-phishing threat-intel shinyhunters supply-chain-attack sso-compromise mfa-bypass
Telus Digital ShinyHunters Google Cloud Platform Salesforce Drift Salesloft trufflehog Mandiant Okta Microsoft Match Group Cisco PornHub Google Microsoft Entra Slack Adobe Atlassian Zendesk Dropbox
bleepingcomputer.com · WalterSobchak · 4 hours ago · details · hn
0 8/10
Leaked Salesforce API access token at IKEA.com
bug-bounty

A Salesforce API access token was exposed to users' browsers during file uploads on IKEA.com's customer support forms, allowing attackers to access unrestricted customer data via the Salesforce REST API. The token lacked proper permission scoping and revealed 465 object types accessible, including customer account names and phone numbers.

api-token-exposure credential-leakage salesforce crmapi insufficient-access-controls data-exfiltration bug-bounty responsible-disclosure rest-api-abuse web-form-exploitation reconnaissance ikea
IKEA.com Salesforce Jonathan Bouman Zerocopter Amass Burp Suite Param Miner CVE-like-equivalent-not-assigned
medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 18 hours ago · details