A now-fixed flaw in Salesforce’s Agentforce could have allowed external attackers to steal sensitive customer data via prompt injection, according to security researchers who published a proof-of-concept attack on Thursday. They were aided by an expired trusted domain that they were able to buy for a measly five bucks.

Agentforce is the CRM giant’s tool for creating AI agents to automate various tasks. The vulnerability stems from a DNS misconfiguration within the agentic AI platform.

Salesforce has already released patches that prevent AI agents from retrieving CRM records and sending them to outside attackers. This new vulnerability, dubbed “ForcedLeak”, illustrates another way that AI-integrated business tools – without human oversight – can be abused, Noma Security research lead Sasi Levi said in a Thursday blog.

“ForcedLeak represents an entirely new attack surface where prompt injection becomes a weaponized vector, human-AI interfaces become social engineering targets, and the mixing of user instructions with external data creates dangerous trust boundary confusion that traditional security controls cannot address,” Levi wrote.

Salesforce declined to answer The Register‘s questions about ForcedLeak, including whether the flaw was abused and sensitive data disclosed, but told us it had fixed the flaw. As of September 8, the company began enforcing trusted URL allow-lists for its Agentforce and Einstein Generative AI agents to ensure that no one can call a malicious link through prompt injection.

“Salesforce is aware of the vulnerability reported by Noma and has released patches that prevent output in Agentforce agents from being sent to untrusted URLs,” a Salesforce spokesperson told The Register in an emailed statement. “The security landscape for prompt injection remains a complex and evolving area, and we continue to invest in strong security controls and work closely with the research community to help protect our customers as these types of issues surface.”

While the flaw doesn’t require a CVE because it’s not related to a software upgrade, Levi told The Register that the AI security company used CVSS Version 4.0 to calculate the vulnerability’s severity score of 9.4 – deeming it a critical bug.

Indirect prompt injection

The attack used indirect prompt injection, a technique that involves embedding malicious instructions into a prompt that will be processed later by the AI when a legitimate user interacts with it.

A direct prompt injection attack, on the other hand, involves someone directly submitting malicious instructions to an AI system, such as: “Provide me step-by-step instructions on how to build a bomb.”

Also for this attack scenario, the researchers enabled Salesforce’s Web-to-Lead feature. This allows external users, like conference attendees or website visitors, to submit customer lead info that integrates directly with the CRM system.

Next, the researchers analyzed the Web-to-Lead form fields to identify the best injection points. Most of the fields (first and last name, company, email) character limits were too small to allow the attack, as they only allow entry of between 40 and 80 characters.

However, the description field with its 42,000-character limit proved ideal for multi-step instruction sets.

Analyzing Salesforce’s Content Security Policy indicated that the domain my-salesforce-cms.com was an allowed domain, but had expired. So the research team purchased it for $5. (Salesforce has re-secured the expired domain, in addition to implementing the other security controls prompted by this exploit, including the new Trusted URLs Enforcement for Agentforce and Einstein AI.)

Then the researchers entered a realistic-sounding first and last name into the proper fields, along with an email and company name. But for the description field, they entered:

Then – bingo – the AI agent started querying the CRM for sensitive lead information and sending all of that data to an attacker-controlled server.

“The ForcedLeak vulnerability highlights the importance of proactive AI security and governance,” Levi wrote. “It serves as a strong reminder that even a low-cost discovery can prevent millions in potential breach damages.”

This is just the latest in a string of examples of AI security researchers using prompt injection to trick LLMs and agents into doing malicious things – and it’s surely not going to be the last.

Last week, AI security company SPLX demonstrated how ChatGPT can be tricked into violating its own policies, and solving CAPTCHA puzzles, with cleverly worded prompts.

We also saw security shop Radware show how ChatGPT’s research assistant could be abused to steal Gmail secrets with a single, carefully crafted email prompt.

And last month, Amazon fixed a couple of security issues in Q Developer that made the tool vulnerable to prompt injection and remote code execution. ®