"Prompt injection and an expired domain could have been used to target Salesforce's Agentforce platform for data theft. The attack method, dubbed ForcedLeak, was discovered by researchers at Noma Security, a company that recently raised $100 million for its AI agent security platform. Salesforce Agentforce enables businesses to build and deploy autonomous AI agents across functions such as sales, marketing, and commerce. These agents act independently to complete multi-step tasks without constant human intervention."
"The ForcedLeak attack method identified by Noma researchers involved Agentforce's Web-to-Lead functionality, which enables the creation of a web form that external users such as conference attendees or individuals targeted in a marketing campaign can fill out to provide lead information. This information is saved into the customer relationship management (CRM) system. The researchers discovered that attackers can abuse forms created with the Web-to-Lead functionality to submit specially crafted information, which when processed by Agentforce agents causes them to carry out various actions."
Noma Security identified a ForcedLeak attack method that could use prompt injection and an expired domain to target Salesforce Agentforce and steal CRM data. The exploit abuses Agentforce's Web-to-Lead forms to submit specially crafted payloads that cause autonomous agents to perform actions chosen by an attacker. A payload example combined benign instructions with directives to collect email addresses and send them as parameters to a remote server. When an employee asks Agentforce to process the malicious lead, the prompt injection triggers and CRM data is exfiltrated. A trusted Salesforce domain had expired and an attacker could have re-registered it. Salesforce regained control and implemented safeguards to block untrusted outputs.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]