Einstein’s Wormhole Exposes Salesforce Calendars to Potential Hackers

• Salesforce’s Einstein Activity Capture has shown a bug giving access to external users.
• The bug has been removed by the Salesforce team with a new update.
• Salesforce user teams can change guest ID parameters to cover for the bug if they do not have the latest version.

Salesforce Communities and Einstein Activity Capture (EAC) can lead to a compromise of the administrator’s Outlook or Google calendar through a bug the Varonis research team discovered, naming it Einstein’s Wormhole. Calendars used by admins may contain highly sensitive information, including attendee names and emails, file attachments, meeting URLs and passwords, agendas, and email replies.

The issue has been reported to the Salesforce team and they have fixed it as of August 19, so if your Salesforce Community was created prior to this date, you must remediate exposed calendar events.

The EAC is used to sync emails and calendar events between Microsoft Exchange, Google accounts, and Salesforce. If a user leaves access open with a meeting link, hackers could gain passwords and infiltrate a meeting without being noticed.

Short of getting the latest upgrade, the most effective way of securing against the Einstein Wormhole bug is to change your guest ID parameters. First, you must replace your guest user’s email with something like "test[@]example.com" or "guest[@]yourcompany.com." After that, remove all confidential information accessible via the guest account.

You can do this via the Development Console option in your Salesforce app and access the “Execute Anonymous Window.” Next, “Execute” the code above to change the email address used by guests.