It was a social engineering attack that leveraged the device OAuth flow, where the device gaining access to the resource server (in this case the Salesforce API) is separate from the device that grants the authorization.
The hackers called employees/contractors at Google (& lots of other large companies) with user access to the company's Salesforce instance and tricked them into authorizing API access for the hackers' machine.
It's the same as loading Apple TV on your Roku despite not having a subscription and then calling your neighbor who does have an account and tricking them into entering the 5 digit code at link.apple.com
Continuing with your analogy, they didn't break into the off-site storage unit so much as they tricked someone into giving them a key.
There's no security vulnerability in Google/Salesforce or your apartment/storage per se, but a lapse in security training for employees/contractors can be the functional equivalent to a zero-day vulnerability.
There's no vulnerability per se, but I think the Salesforce UI is pretty confusing in this case. It looks like a login page, but actually if you fill it in, you're granting an attacker access.
Disclosure: I work at Google, but don't have much knowledge about this case.
Salesforce architect here (from partner firm, not the mothership directly)--Salesforce's query language, SOQL, is definitely a different beast as you say. I'd like to learn more about the issues you're having with the integration, specifically the permissions enforcement. I may be misunderstanding what you meant in the blog post, but if you're passing a SOQL query through the REST API then the results will be scoped by default to the permissions of the user that went through the OAuth flow. My email is in my profile if you're open to connecting.
Tython | Salesforce Software Engineer | Remote (US) | Full-time Contract to Hire | https://www.tython.co
Tython provides consulting services to Salesforce ISVs, partners, and customers with a focus on lightning web components, Apex development, and backend integrations.
Tython was founded in 2012 and since then has provided consulting and development services to Fortune 100 companies and nonprofits alike, as well as released products on the Salesforce AppExchange.
Tython is currently a lean group of Salesforce engineers and admins spread out between San Diego, Long Beach, St. Louis, and Durham, North Carolina. We're looking to build out a fun, diverse, and supportive team of both junior and experienced Salesforce consultants, admins, and software engineers.
We offer great benefits including medical, dental, vision & life insurance, 401k matching, charitable donation matching, training opportunities, and an unlimited vacation policy.
The technologies and tools we use today include:
* Apex
* Lightning Web Components
* Aura Components
* SFDX
* GitHub
* VSCode
* GitHub Actions
Reach out if you would enjoy working with a small team, having a flexible work schedule, and building complex applications/integrations with the Salesforce platform.
Interested? Send your resume to careers@tython.co (no recruiters please)
Tython | Salesforce Software Engineer | Long Beach, San Diego, Research Triangle Park, or Remote | Full-time Contract to Hire | ONSITE or REMOTE | https://www.tython.co
Tython provides consulting services to Salesforce ISVs, partners, and customers with a focus on lightning web components, Apex development, and backend integrations.
Tython was founded in 2012 and since then has provided consulting and development services to Fortune 100 companies and nonprofits alike, as well as released products on the Salesforce AppExchange.
Tython is currently a lean group of Salesforce engineers and admins spread out between San Diego and Long Beach, but we will soon be opening an office in the RTP area of North Carolina. We're looking to build out a fun, diverse, and supportive team of both junior and experienced Salesforce consultants, admins, and software engineers.
We offer great benefits including medical, dental, vision & life insurance, 401k matching, and an unlimited vacation policy.
The technologies and tools we use today include:
* Apex
* Lightning Web Components
* Aura Components
* SFDX
* GitHub
* VSCode
* CircleCI (moving to GitHub Actions)
Reach out if you would enjoy working with a small team, having a flexible work schedule, and building complex applications/integrations with the Salesforce platform.
Interested? Send your resume to careers@tython.co (no recruiters please)
Tython | Salesforce Software Engineer | San Diego, CA | Full-time | ONSITE or REMOTE | https://www.tython.co
Tython provides consulting services to Salesforce ISVs, partners, and customers with a focus on lightning web components, Apex development, and backend integrations.
Tython was founded in 2012 and since then has provided consulting and development services to Fortune 100 companies and nonprofits alike, as well as released products on the Salesforce AppExchange. Tython was formerly based in Washington, DC where I formed and led the local Salesforce developer group before relocating to San Diego, CA.
As the founder of Tython, I've spoken at Salesforce’s annual Dreamforce conference multiple times as well as the TrailheaDX developer conference. During the last Dreamforce Hackathon held in 2014 my team and I were awarded 4th place and $20,000.
Tython is currently a lean group of Salesforce engineers and admins, but we're looking to build out a fun, diverse, and supportive team of both junior and experienced Salesforce software engineers.
Reach out if you would enjoy working with a small group, having a flexible work schedule, and building complex applications/integrations with the Salesforce platform.
Interested? Send your resume to careers@tython.co (no recruiters please)
Tython | Salesforce Software Engineer | San Diego, CA | Full-time or Part-time | ONSITE or REMOTE (PDT +/- 3) | https://www.tython.co
Tython provides consulting services to Salesforce partners, customers, and ISVs with a focus on lightning web components, Apex development, and backend integrations.
Tython is currently a two man show, but we're looking to build out a fun, diverse, and supportive team of both junior and experienced Salesforce software engineers. Reach out if you would enjoy working with a small group, having a flexible work schedule, and building complex applications/integrations with the Salesforce platform.
We're looking for a software engineer first and foremost, but there will also be a consultant aspect to the role as some client interaction may be necessary to go over requirements/deliverables. We're definitely open to helping a strong developer not already familiar with Salesforce transition to the platform, but candidates would ideally already have experience in the following:
- Lightning Component (Aura/Web) Development
- Apex Development
- SFDX
Interested? Send your resume to careers@tython.co (no recruiters please)
Tython | Salesforce Software Engineer | San Diego, CA | Full-time or Part-time | ONSITE or REMOTE | https://www.tython.co
Tython provides consulting services to Salesforce partners, customers, and ISVs with a focus on lightning web components, Apex development, and backend integrations.
As the founder at Tython, I've been working on the Salesforce platform since 2010 and in that time provided consulting and development services to Fortune 100 companies and nonprofits alike, released products on the Salesforce AppExchange, and spoken at Salesforce’s annual Dreamforce conference multiple times. In 2014 I formed the DC Salesforce developer group and later that same year my team and I were awarded 4th place and $20,000 at the Dreamforce Hackathon.
Tython is currently a two man show, but we're looking to build out a fun, diverse, and supportive team of both junior and experienced Salesforce software engineers. Reach out if you would enjoy working with a small group, having a flexible work schedule, and building complex applications/integrations with the Salesforce platform.
Interested? Send your resume to careers@tython.co (no recruiters please)
"But the highest praise I can give The Left Hand of Darkness is that Le Guin captures the texture of life. This book is full of little moments, bits of sensation and emotion, that show what it feels like to be alive, day after day."
Well put; this was one of the things I enjoyed most about the book as well. I began reading fully expecting to be immersed in the Gethenians' world and their foreign culture, just as Mr. Ai did at the start of his journey. By the end though I realized Le Guin had used these "aliens" to show Mr. Ai and the reader what it truly meant to be human.
The fact that some others here feel that LHoD was not Le Guin's best work makes me excited to read her other books!
I read The Dispossessed about 5 years ago and didn’t have any strong reactions from it. Then I read LHoD a few months ago and was blown away. So much so that I’m curious to go back to The Dispossessed and see if my opinion of it radically changes this time around.
Tython | Salesforce Software Engineer | San Diego, CA | Full-time or Part-time | ONSITE or REMOTE | https://www.tython.co
Tython provides consulting services to Salesforce partners, customers, and ISVs with a focus on lightning components, Apex development, and backend integrations.
I've been working on the Salesforce platform since 2010 and in that time provided consulting and development services to Fortune 100 companies and nonprofits alike, released products on the Salesforce AppExchange, and spoken at Salesforce’s annual Dreamforce conference multiple times. In 2014 I formed the DC Salesforce developer group and later that same year my team and I were awarded 4th place and $20,000 at the Dreamforce Hackathon.
Currently I'm a one man show, but now I'm looking to build out a fun, supportive team of both junior and experienced Salesforce software engineers. Reach out if you would enjoy having a flexible work schedule and building complex applications/integrations with the Salesforce platform.
Interested? Send your resume to careers@tython.co (no recruiters please)
The hackers called employees/contractors at Google (& lots of other large companies) with user access to the company's Salesforce instance and tricked them into authorizing API access for the hackers' machine.
It's the same as loading Apple TV on your Roku despite not having a subscription and then calling your neighbor who does have an account and tricking them into entering the 5 digit code at link.apple.com
Continuing with your analogy, they didn't break into the off-site storage unit so much as they tricked someone into giving them a key.
There's no security vulnerability in Google/Salesforce or your apartment/storage per se, but a lapse in security training for employees/contractors can be the functional equivalent to a zero-day vulnerability.