Google-owned safety agency Mandiant has launched AuraInspector, a free open-source software designed to assist organizations establish entry management misconfigurations in Salesforce environments. The command-line utility is now obtainable on GitHub for safety groups to make use of when auditing their Salesforce deployments.
The software scans Salesforce Aura framework implementations from an exterior perspective to flag potential configuration points. AuraInspector operates with out requiring system credentials, simulating how unauthorized customers would possibly work together with Salesforce environments.
Mandiant’s Offensive Safety Providers unit developed the software primarily based on configuration errors steadily recognized in Salesforce Expertise Cloud throughout safety assessments. The platform’s complicated permissions system typically contributes to such vulnerabilities. The software is deliberately restricted to read-only detection capabilities and doesn’t modify goal techniques.
How AuraInspector Works
AuraInspector addresses configuration errors that Mandiant says have been exploited to reveal delicate buyer knowledge at dozens of organizations over the previous two years, together with credentials, well being info, and identification paperwork.
The software automates detection of those misconfigurations, which might go unnoticed in Salesforce’s intricate permissions system till actively exploited. It really works by discovering Aura framework endpoints inside Salesforce environments and systematically testing them for entry management weaknesses. The software retrieves lists of accessible Salesforce objects and evaluates whether or not visitor consumer profiles have been granted extreme permissions to delicate knowledge varieties, together with Account, Contact, and Lead data.
This automated strategy solves a rising problem as Salesforce environments scale throughout hundreds of customers, functions, and customized elements—handbook configuration audits turn out to be impractical, typically leaving gaps unaddressed.
AuraInspector employs a number of strategies to effectively assess safety postures. It leverages the Salesforce GraphQL API to bypass the platform’s customary 2,000-record retrieval restrict, a technique beforehand undisclosed. Through the use of motion bulking, the software can take a look at a number of configurations in single requests, considerably decreasing community overhead and accelerating scan instances. This effectivity makes it sensible for safety groups to conduct common audits with out disrupting enterprise operations.
Past permission checks, AuraInspector identifies Report Listing elements which will enable unauthorized viewing or modification of data and discovers uncovered administration panels for third-party modules. The software additionally detects whether or not self-registration options are enabled—a configuration that may enable attackers to create unauthorized accounts.
By simulating what unauthenticated customers may entry with out credentials, AuraInspector provides safety groups higher visibility into their exterior Salesforce assault floor from an attacker’s perspective.
Studying from Massive-Scale Salesforce Breaches
AuraInspector’s launch follows an enormous knowledge theft marketing campaign that compromised Salesforce CRM environments throughout dozens of high-profile organizations, as documented by Mandiant in August 2025.
Attackers exploited compromised OAuth tokens from the third-party Salesloft Drift utility to infiltrate organizations and extract delicate knowledge, together with credentials, well being data, and identification paperwork. Google Risk Intelligence tracked this marketing campaign, highlighting how reputable integrations inside Salesforce’s ecosystem may very well be weaponized even with out direct platform vulnerabilities.
A main trigger of those breaches centered on entry management misconfigurations, significantly inside Salesforce Expertise Cloud websites the place Aura framework endpoints have been left uncovered to unauthenticated customers.
Visitor consumer profiles mixed with overly permissive sharing guidelines created pathways for attackers to question protected objects through GraphQL APIs that bypassed customary document limits. Though Salesforce and Mandiant collaborated to revoke the exploited tokens and harden Drift integrations, the incident revealed how configuration drift in complicated, multi-tenant environments can create persistent safety blind spots that conventional monitoring typically misses.
Salesforce recommends that directors audit visitor consumer permissions to implement least-privilege entry rules and overview organization-wide defaults and sharing guidelines to restrict knowledge publicity. The corporate additionally advises disabling pointless options similar to self-registration to cut back the danger of unauthorized account creation. Nevertheless, in giant enterprises the place permissions sprawl throughout hundreds of customers, functions, and customized elements, handbook monitoring turns into unwieldy and sometimes leaves essential gaps unnoticed till exploited.
This problem underscores why instruments like AuraInspector are helpful for safety groups. By automating exterior scans of Aura endpoints and flagging extreme visitor permissions with out requiring credentials or system modifications, the software permits proactive identification of potential vulnerabilities.
Proactive Protection for a Safer Platform
The discharge of AuraInspector offers organizations with a sensible answer to detect misconfigurations of their Salesforce environments. By simulating attacker reconnaissance strategies, the software helps safety groups perceive their exterior assault floor and prioritize remediation efforts primarily based on what is definitely accessible to unauthorized customers.
For B2B expertise organizations closely invested in Salesforce ecosystems, AuraInspector tackles a selected operational problem: sustaining safety visibility as platform complexity will increase. The software’s automation capabilities make it possible to conduct common scans throughout a number of Salesforce environments, guaranteeing that configuration adjustments don’t inadvertently introduce new safety gaps.
Organizations ought to think about integrating AuraInspector into common safety evaluation workflows, utilizing it alongside Salesforce’s native safety features and third-party monitoring instruments to construct defense-in-depth methods.
AuraInspector is now obtainable on GitHub however isn’t an formally supported Google product. The general public launch of AuraInspector intentionally excludes knowledge extraction capabilities to stop misuse, limiting operations to read-only detection that doesn’t modify goal techniques.
