Noma Labs has uncovered a severe flaw in Salesforce’s Agentforce platform. The chain of vulnerabilities, dubbed ForcedLeak, carried a CVSS score of 9.4 and exposed customer data to theft through indirect prompt injection and a loophole in Salesforce’s Content Security Policy.
The weakness lay in how Agentforce (an autonomous AI agent) processed instructions. Unlike conventional chatbots, these agents can act on data without constant oversight – an autonomy that created a wider, more dangerous attack surface.
The Mechanics
Bad actors slipped malicious instructions into Salesforce’s Web-to-Lead form, hiding payloads in the Description field. When staff later queried those leads through Agentforce, the AI dutifully followed both human commands and the attacker’s buried script. Sensitive CRM data was pulled out.
Exfiltration hinged on a trick. An expired domain (still whitelisted by Salesforce) allowed outbound data to flow. Posing as a trusted address, my-salesforce-cms.com funneled information back to attacker-controlled servers via innocuous image requests.
The Fallout
Any firm using Web-to-Lead in Agentforce was at risk. The prize: entire CRM records, contacts, sales pipelines, internal exchanges. The consequences: regulatory heat, financial loss, competitive exposure, and possible pivot into connected systems.
Noma Labs disclosed the issue on 28 July 28. Salesforce patched it by 8 September, tightening URL trust rules and hardening whitelist checks for Agentforce and Einstein AI.
Stricter Discipline for AI
The episode shows why AI agents demand stricter discipline than legacy bots. They bring sprawling attack surfaces (knowledge bases, memory, tool integrations) that cannot be ignored. Controls must cover trusted domains, input validation, output audits, and real-time detection of prompt injection. AI inventories and proper threat modelling are now table stakes.
The exploit cost attackers little more than a $5 domain. The potential cost to victims was immeasurable. As enterprises rush to embed AI agents in core workflows, one truth stands out: security must move in lockstep.
Noma Labs, for its part, argues its monitoring platform could have blocked ForcedLeak. Whether vendors and enterprises heed such warnings may shape the next era of AI security.
Establishing Guardrails
Chrissa Constantine, Senior Cybersecurity Solution Architect at Black Duck says it’s advisable to secure the systems around the AI agents in use, which include APIs, forms, and middleware, so that prompt injection is harder to exploit and less harmful if it succeeds.
“True prevention is around maintaining configuration and establishing guardrails around the agent design, software supply chain, web application, and API testing as these are the complementary controls to consider in order to achieve true scale application security.”
Mayuresh Dani, Security Research Manager, at Qualys Threat Research Unit says any organization using Salesforce AgentForce with Web-to-Lead functionality enabled is at risk of this vulnerability. Firms should:
- Apply Salesforce patches to enforce Trusted URLs for AgentForce and Einstein AI immediately.
- Audit existing lead data for suspicious submissions containing unusual instructions or formatting.
- Enforce strict tool-calling security guardrails and detect prompt injection in real-time.
- Enforce rigorous security validation and threat modelling of all AI agents.
Indirect Prompt-injection Turned Data Exfiltration
This is a classic indirect prompt-injection turned data exfiltration, where an agent with access to sensitive data can reach the public internet, adds Elad Luz, Head of Research at Oasis Security.
“An attacker put hidden instructions into the free-text of a public contact form that feeds Salesforce (web-to-lead). A Salesforce AI agent (Agentforce) was asked to review new leads, read that text, and followed the attacker’s instructions. The agent then sent out other leads’ data. Internet access for the agent was “allowlisted,” but one allowed domain had expired and was re-registered by an attacker, so the data landed there.”
Moving forward, Luz says organizations and their security teams need to:
- Know each agent’s access (and avoid toxic combos). Maintain an inventory of agents as IAM principals with owners, purpose, data read scopes, and network/tool permissions (such as HTTP). Flag any agent that has both sensitive-data access and public egress. Apply least privilege and, where internet access is required, restrict egress to domains you own or explicitly trusted ones.
- Own your allowlist (and verify ownership). Keep a definitive allowlist of outbound domains for agents and continuously validate domain registration/ownership. Alert on expired, transferred, or hijackable entries and remove them immediately.
- Sanitize external input before the agent sees it. Treat free-text from contact forms as untrusted input. Use an input mediation layer to extract only expected fields, strip/neutralize instructions, links, and markup, and prevent the model from interpreting user content as commands (prompt-injection resilience).
- Track your vendors and their advisories. Map all vendors providing agent capabilities. Subscribe to their security advisories, apply recommended controls quickly, and require basics: per-agent credentials, granular egress allowlists, and audit logs.
A Mix of Scripted Attacks, Social Engineering
Andy Bennett, Chief Information Security Officer at Apollo Information Systems, says Indirect Prompt Injection is basically cross-site scripting, but instead of tricking a database into doing or divulging things it shouldn’t, the attackers get the inline AI to do it. “It is like a mix of scripted attacks and social engineering. The innovation is impressive, and the impacts are potentially staggering depending on the breadth of deployment in the wild of AI models/agents that might be susceptible to this sort of attack.”
Indirect Prompt Injection is new, but not brand new, Bennett says. “Many people and organizations are not able to keep up with the latest threats that leverage our own AI systems against us. Amazon released guidance on how to safeguard against it back in May, and OWASP’s GenAI Security project lists direct and indirect prompt injection as one of its top vulnerabilities. One of the tricky things with this sort of vulnerability is that, sometimes, it won’t be as easy to fix as just applying a patch.”
Constraining Model Behaviors
Bennett says the general recommendations to reduce this risk include constraining model behaviors by design, building in output validation controls, putting filtering in place for both input and output, enforcing effective access control (to real users and the models), and more. “It is also important to have testing in place, preferably continuously, to validate the behaviors of the model. There should be a Human-in-the-Loop stage gate for any critical decision-making or high-risk actions. Depending on the use case, organizations might want to limit a model or agent’s exposure to external content as well.”
AI agents absolutely expand the attack surface in new and novel ways, Bennett ends. “We have had to worry about attackers convincing people inside our organizations to do things they shouldn’t for a long time, but at least those compromises moved at the speed of people. When they convince an AI agent to do it, they move at the speed of a machine and it is possible that the damage and overall impact of an AI agent being targeted could be much faster and farther reaching than many other types of attacks.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.