Prompt injection – and a $5 domain – trick Salesforce Agentforce into leaking sales

A now-fixed flaw in Salesforce’s Agentforce could have allowed external attackers to steal sensitive customer data via prompt injection, according to security researchers who published a proof-of-concept attack on Thursday. They were aided by an expired trusted domain that they were able to buy for a measly five bucks.

Agentforce is the CRM giant's tool for creating AI agents to automate various tasks. The vulnerability stems from a DNS misconfiguration within the agentic AI platform.

Salesforce has already released patches that prevent AI agents from retrieving CRM records and sending them to outside attackers. This new vulnerability, dubbed "ForcedLeak", illustrates another way that AI-integrated business tools – without human oversight – can be abused, Noma Security research lead Sasi Levi said in a Thursday blog.

"ForcedLeak represents an entirely new attack surface where prompt injection becomes a weaponized vector, human-AI interfaces become social engineering targets, and the mixing of user ...