Salesforce AgentForce Vulnerability: What You Need to Know
▼ Summary
– A critical vulnerability called ForcedLeak, with a severity score of 9.4, was discovered in Salesforce’s AI-powered AgentForce platform.
– The flaw was an indirect prompt injection attack that could have allowed attackers to steal sensitive CRM data by embedding malicious instructions in Web-to-Lead forms.
– Salesforce patched the issue by enforcing Trusted URLs and securing an expired domain that was in its Content Security Policy whitelist and could have been used to exfiltrate data.
– The findings highlight that autonomous AI agents present an expanded attack surface compared to traditional chatbots, requiring attacks to move at machine speed.
– The disclosure serves as a reminder for businesses to prioritize security governance, continuous testing, and strict controls when adopting autonomous AI.
A significant security vulnerability within Salesforce’s AgentForce platform has been uncovered, revealing a critical weakness in how AI-powered systems handle data. Cybersecurity specialists identified a flaw chain, dubbed ForcedLeak, which received a severity rating of 9.4. This vulnerability could have enabled malicious actors to exfiltrate confidential CRM information through a technique known as indirect prompt injection. Salesforce has addressed the issue by implementing Trusted URL enforcement and securing a previously expired domain that presented an exploitation opportunity.
The discovery by Noma Security underscores a broader concern: AI agents introduce a substantially larger attack surface than their traditional chatbot predecessors. Unlike simple query-response systems, autonomous AI agents like AgentForce can make independent decisions and execute multi-step processes without direct human supervision. This autonomy, while powerful, creates new avenues for exploitation.
Researchers demonstrated how attackers could plant harmful instructions within Salesforce’s Web-to-Lead forms. These malicious prompts would then lie dormant within customer data records. When company employees later interacted with AgentForce, the AI would process both the legitimate user query and the hidden malicious command simultaneously. Andy Bennett, CISO at Apollo Information Systems, explained the mechanism: “Indirect Prompt Injection operates similarly to cross-site scripting, but instead of targeting a database, the attacker manipulates the inline AI. It combines elements of scripted attacks with social engineering tactics.”
A separate but related finding involved an expired domain that remained on Salesforce’s Content Security Policy whitelist. This oversight meant an attacker could acquire the domain inexpensively and use it as a conduit for siphoning off valuable CRM data, including customer contact details, sales pipeline information, and private internal messages.
Chrissa Constantine, a senior cybersecurity solution architect at Black Duck, emphasized the importance of a holistic defense strategy. “The key is to secure the entire ecosystem surrounding AI agents, this includes APIs, data entry forms, and middleware. Making prompt injection more difficult to exploit and limiting its potential impact should it occur is essential.”
For organizations leveraging Salesforce AgentForce with Web-to-Lead functionality, several immediate actions are recommended. Applying the latest Salesforce patches to enforce Trusted URLs is a critical first step. Companies should also conduct audits of existing lead data to identify any suspicious submissions containing unusual instructions. Furthermore, implementing strict security guardrails for tool-calling and establishing real-time detection for prompt injection attempts are vital protective measures.
As Bennett pointed out, the speed of AI-driven attacks presents a unique challenge, as they can propagate with machine-like efficiency, potentially causing widespread damage quickly. The ForcedLeak incident acts as a crucial warning for businesses integrating autonomous AI: robust security governance, continuous testing, and strict controls are non-negotiable components for safeguarding against these evolving digital threats.
(Source: Info Security)
