Google-owned security firm Mandiant has launched AuraInspector, a free open-source tool designed to help organizations identify access control misconfigurations in Salesforce environments. The command-line utility is now available on GitHub for security teams to use when auditing their Salesforce deployments.
The tool scans Salesforce Aura framework implementations from an external perspective to flag potential configuration issues. AuraInspector operates without requiring system credentials, simulating how unauthorized users might interact with Salesforce environments.
Mandiant’s Offensive Security Services unit developed the tool based on configuration errors frequently identified in Salesforce Experience Cloud during security assessments. The platform’s complex permissions system often contributes to such vulnerabilities. The tool is intentionally limited to read-only detection capabilities and does not modify target systems.
- Why Unified Communications Is Your Next Big Security Blind Spot
- Unified Communications Compliance 101: Are Your Chats Really Governed?
How AuraInspector Works
AuraInspector addresses configuration errors that Mandiant says have been exploited to expose sensitive customer data at dozens of organizations over the past two years, including credentials, health information, and identity documents.
The tool automates detection of these misconfigurations, which can go unnoticed in Salesforce’s intricate permissions system until actively exploited. It works by discovering Aura framework endpoints within Salesforce environments and systematically testing them for access control weaknesses. The tool retrieves lists of accessible Salesforce objects and evaluates whether guest user profiles have been granted excessive permissions to sensitive data types, including Account, Contact, and Lead records.
This automated approach solves a growing challenge as Salesforce environments scale across thousands of users, applications, and custom components—manual configuration audits become impractical, often leaving gaps unaddressed.
AuraInspector employs several techniques to efficiently assess security postures. It leverages the Salesforce GraphQL API to bypass the platform’s standard 2,000-record retrieval limit, a method previously undisclosed. By using action bulking, the tool can test multiple configurations in single requests, significantly reducing network overhead and accelerating scan times. This efficiency makes it practical for security teams to conduct regular audits without disrupting business operations.
Beyond permission checks, AuraInspector identifies Record List components that may allow unauthorized viewing or modification of records and discovers exposed administration panels for third-party modules. The tool also detects whether self-registration features are enabled—a configuration that can allow attackers to create unauthorized accounts.
By simulating what unauthenticated users could access without credentials, AuraInspector gives security teams greater visibility into their external Salesforce attack surface from an attacker’s perspective.
Learning from Large-Scale Salesforce Breaches
AuraInspector’s release follows a massive data theft campaign that compromised Salesforce CRM environments across dozens of high-profile organizations, as documented by Mandiant in August 2025.
Attackers exploited compromised OAuth tokens from the third-party Salesloft Drift application to infiltrate organizations and extract sensitive data, including credentials, health records, and identity documents. Google Threat Intelligence tracked this campaign, highlighting how legitimate integrations within Salesforce’s ecosystem could be weaponized even without direct platform vulnerabilities.
A primary cause of these breaches centered on access control misconfigurations, particularly within Salesforce Experience Cloud sites where Aura framework endpoints were left exposed to unauthenticated users.
Guest user profiles combined with overly permissive sharing rules created pathways for attackers to query protected objects via GraphQL APIs that bypassed standard record limits. Although Salesforce and Mandiant collaborated to revoke the exploited tokens and harden Drift integrations, the incident revealed how configuration drift in complex, multi-tenant environments can create persistent security blind spots that traditional monitoring often misses.
Salesforce recommends that administrators audit guest user permissions to enforce least-privilege access principles and review organization-wide defaults and sharing rules to limit data exposure. The company also advises disabling unnecessary features such as self-registration to reduce the risk of unauthorized account creation. However, in large enterprises where permissions sprawl across thousands of users, applications, and custom components, manual tracking becomes unwieldy and often leaves critical gaps unnoticed until exploited.
This challenge underscores why tools like AuraInspector are valuable for security teams. By automating external scans of Aura endpoints and flagging excessive guest permissions without requiring credentials or system modifications, the tool enables proactive identification of potential vulnerabilities.
Proactive Defense for a Safer Platform
The release of AuraInspector provides organizations with a practical solution to detect misconfigurations in their Salesforce environments. By simulating attacker reconnaissance techniques, the tool helps security teams understand their external attack surface and prioritize remediation efforts based on what is actually accessible to unauthorized users.
For B2B technology organizations heavily invested in Salesforce ecosystems, AuraInspector tackles a specific operational challenge: maintaining security visibility as platform complexity increases. The tool’s automation capabilities make it feasible to conduct regular scans across multiple Salesforce environments, ensuring that configuration changes don’t inadvertently introduce new security gaps.
Organizations should consider integrating AuraInspector into regular security assessment workflows, using it alongside Salesforce’s native security features and third-party monitoring tools to build defense-in-depth strategies.
AuraInspector is now available on GitHub but is not an officially supported Google product. The public release of AuraInspector deliberately excludes data extraction capabilities to prevent misuse, limiting operations to read-only detection that does not modify target systems.
