An early injection and an expired domain can be used to target the agentforce platform of salesforce for data theft.
Attack method, dubbed ForcesNOMA was discovered by researchers from NOMA Security, a company that recently raised $ 100 million for its AI agent security forum.
The salesforce agentforce enables businesses to manufacture and deploy autonomous AI agents in works such as sales, marketing and commerce. These agents act freely to complete multi-step tasks without constant human intervention.
The FORCEDLEAK attack method, identified by NOMA researchers, included agentforce’s web-to-Leid functionality, enabling the creation of a web form that can fill to provide lead information in external users such as external users such as a conference participating or marketing campaign. This information is saved in the customer relationship management (CRM) system.
Researchers found that the attackers can misuse forms created with web-to-Leide functionality to present a particularly designed information, which causes them to perform various tasks from the attacker when processed by agentforce agents.
The potential impact was displayed by submitting a payload, including instructions to collect email addresses to the AI agent and to add them to the parameters of requests going to remote server.
When an employee asks the agentforce to process the lead that involves malicious payload, quick injection is triggered and the data stored in the CRM is collected and comes out of the attacker’s server.
The remaining remained uninterrupted in the attack as NOMA researchers found that a reliable salesforce domain was abandoned. An attacker could register that domain and used it for the server that obtained exfiltrated CRM data.
After being notified, Salesforce achieved control of expired domain and implemented Change To prevent AI agent output from being sent to incredible domain.
These types of attacks are not uncommon. In recent months, researchers demonstrated several theoretical attacks, where integration of integration between AI assistants and enterprise equipment was misused for the theft.
Connected: Targets in Server-side data theft attack
Connected: Chatgpt tricked to solve the captures
Connected: Top 25 MCP weaknesses show how AI agents can be exploited
