Salesforce is warning customers to audit their Experience Cloud guest user configurations after cybercrime group ShinyHunters launched a campaign exploiting overly permissive guest settings to harvest data from public portals. Attackers are using a modified version of Mandiant's open-source AuraInspector tool to probe the '/s/sfsites/aura' API endpoint and extract data without credentials. The campaign targets environments where guest profiles have excessive object/field permissions, organization-wide default access for external users is not set to private, and guest users can access public APIs. Salesforce recommends auditing guest permissions, disabling public API access where unnecessary, restricting object visibility, and enforcing least-privilege access. The attack exploits configuration gaps rather than platform vulnerabilities, making it a low-effort, high-reward approach for threat actors.
Sort: