Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis named a Leader in The Forrester Wave™: Data Security Platforms, Q1 2023

Read the report

Einstein's Wormhole: Capturing Outlook & Google Calendars via Salesforce Guest User Bug

3 min read
Last updated Jan 07, 2022


    If your organization uses Salesforce Communities and Einstein Activity Capture, you might have unknowingly exposed your administrator's Outlook or Google calendar events to the internet due to a bug called Einstein's Wormhole discovered by the Varonis research team.

    Exposed calendar events can contain highly sensitive contents such as attendee names and emails, meeting URLs and passwords, agendas, file attachments, and email replies sent to the organizer.

    The issue was reported to Salesforce and their talented and extremely responsive team quickly fixed the bug. However, if your Salesforce Community was created prior to Summer 2021, you must remediate exposed calendar events.

    Steps to take immediately:

    1.) Change your guest user's email to a dummy email (e.g., or

    2.) Remove sensitive calendar events that Einstein associated with your guest user

    More detailed steps are outlined below under the "Mitigation" section. Reach out to our team if you need assistance auditing your Salesforce instance.

    Read on for a detailed explanation of how two seemingly unrelated Salesforce features are interconnected and security implications.

    Einstein Activity Capture

    Einstein Activity Capture (EAC) is a tool that lets you synchronize emails and calendar events between your Microsoft Exchange or Google accounts and Salesforce.

    Einstein Activity Capture replaces the older and soon-to-be-obsolete Lightning Sync. In this article we will say Einstein Activity Capture, but the same concepts are also relevant to Lightning Sync.

    The idea behind Einstein Activity Capture is to boost your sales team's productivity by consolidating relevant customer emails and meetings into one central system: Salesforce.


    Einstein is smart, so when you create a meeting as an organizer, it will attempt to find other Salesforce people (users, leads, contacts) to sync the event to.

    Einstein Activity Capture synchronizes the user's calendars, the following chain of events occurs:

    • Salesforce connects to the calendar, be it Outlook or Google Calendar, and retrieves the events.
    • Salesforce adds the events to the user's Salesforce calendar.
    • Salesforce looks at the event's participants and searches for users, leads, and contacts with matching emails.
    • If Salesforce finds records with matching email addresses, it adds the events to their Salesforce calendars as well.

    More on how event sync works here.

    Einstein's Wormhole

    Up until the Summer 2021 release, guest users were created with the Salesforce admin's email address.


    Let's revisit our Einstein sync process with this new detail.

    Imagine your CTO sends an Outlook meeting invite to the company's Salesforce admin (let's call her Judy). It's a sensitive roadmap meeting involving several key players in the business. Since the guest user shares an email address with Judy, here's what will happen (prior to the Summer 2021 release):

    • Salesforce finds the CTO's event where the admin is a participant.
    • Salesforce looks for users and other objects with an email address matching the participants.
    • Salesforce will find Judy the Salesforce admin and sync the event to her calendar.
    • Salesforce will ALSO find the guest user and sync the event to the guest's calendar.


    As a result, the event and its details (participants, subject, dial-in, Zoom link, and even the replies to the invite) are exposed to the Internet via the guest user.


    The events themselves may contain sensitive information, which by itself can do harm to the business; With a meeting link, password, and attendee list, an attacker could potentially join a meeting without being noticed.

    The information can also be used by malicious actors to carry out spear phishing attacks or use details from the meeting to compromise other services, move laterally, etc.


    Salesforce quickly fixed this bug so that all new Community sites will not associate the guest user with a real user's email address.

    If your Community was created before Summer '21, we recommend you change the guest user's email for all your Community sites to a dummy email that isn't associated with a real user's calendar.

    The snippet below can be run in the Development Console and will change the email address of all guest users:

    1. for (User user: [SELECT Id FROM User WHERE UserType='Guest']) {
    2. user.Email = '';
    3. update user;
    4. }
    for (User user: [SELECT Id FROM User WHERE UserType='Guest']) { 
        user.Email = ''; 
        update user; 

    To access the Development Console, click on the gear at the top of the page and select "Development Console" (make sure that you are logged in as an admin!): 


    In the Development Console, press Ctrl+E (works on both Windows and Mac) to open the "Execute Anonymous Window."


    Paste the code into the window and click "Execute" to automatically change the email address of all guest users.

    Deleting sensitive event objects associated with the guest user is not as easy. If you need help doing this, please reach out and our team will be happy to help.


    The biggest takeaway from this research is that SaaS risk increases as services become interconnected. In this case, two seemingly disconnected features are tied together in an unexpected and undesired way. These small misconfigurations or minor vulnerabilities can have disastrous consequences.

    In addition, it's crucial for enterprises to understand the shared responsibility model when working with SaaS providers. SaaS applications are mainly secure; however, once an enterprise puts data into these SaaS applications, it's the enterprise's responsibility to protect the data.

    It's critical for organizations to understand their SaaS landscape and how products affect one another. Think about creating something akin to a network topology diagram for your SaaS products to paint a clear picture of how data flows from one app to the next.

    Consider using a cloud security product (we like DatAdvantage Cloud ;-)) to visualize exactly what a user (even a guest user!) has access to across all your different SaaS apps, classify sensitive data, and monitor behavior for anomalies.

    Disclosure Timeline

    • 2021-08-08: Reported to Salesforce
    • 2021-08-11: Triaged
    • 2021-08-19: Fixed

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.

    Free Data Risk Assessment

    Join 7,000+ organizations that traded data darkness for automated protection. Get started in minutes.