+ Start a Discussion
tstrongtstrong 

Security of Email Approval Response

Has anyone vetted the security of email approval responses? 

 

Our security team is concerned that a user could get an approval request email and change the opportunity data in the email header in order to inappropriately approve another opportunity that they shouldn't have access to.

Ispita_NavatarIspita_Navatar

I think that salesforce doesn't allow that, they maintain session ids and some other token to check for the validity of the operation, that is what salesforce's "Safe Harbour Statement" and other documents of security tells.

Best way to find out is to try , have you tried vetting the Email URL ? My belief they have a mechanism to prevent it.

Still you can try and keep us posted on that.