14 DAY TRIAL // A bug has been discovered in the Opportunity Form instrument for sales representatives to maximize their efficiency; if successfully exploited by an attacker, the glitch can lead to learning sensitive information that would allow unauthorized access to the platform.
The Opportunity Form from Topline Systems is an Excel spreadsheet that can be used for managing and forecasting sales opportunities. It is mainly designed for information input when there is no Internet and to synchronize with the online database when connectivity becomes available.
Plain text password at risk of exposure
According to a security advisory from the CERT (Community Emergency Response Team) at the Carnegie Mellon University, the spreadsheet can be used to find out the log-in credentials of a user, along with their email addresses, all in plain text.
There aren’t too many details about the vulnerability except for the fact that it can be exploited remotely. The warning from CERT also informs that reaching the sensitive information could be done by running procedures included in the spreadsheet.
A malicious actor gaining access to a user’s Opportunity Form credentials could have serious consequences to the revenue of a company since the attacker could engage in sabotage operations that could alter the data input to reflect erroneous forecasts or to miss product selling opportunities.
Company applies security measures
In order to mitigate the risk, Topline Systems has made security modifications in the Opportunity Form that are deemed as appropriate measures by CERT.
Also, the company ended support for all previous versions of the product, forcing users to download the improved Excel spreadsheet in order to make sure that everyone is protected. A security warning has been posted on the log-in page of the service pointing to the download page.
On the same note, a password reset procedure was deployed for all customers and a new release containing security improvements has been scheduled for February 15.
No evidence exists at the moment about compromised accounts. However, users are strongly advised to replace the access passwords to strong ones, more so if they are used for sensitive accounts.
Topline Systems is a SaaS (software-as-a-service) company, which means that the information submitted by the customer is synchronized on their platform. Its services can be easily accessed through a web browser.