A significant security flaw, identified as ForcedLeak, has been discovered in Salesforce’s Agentforce AI platform, potentially allowing unauthorized access to sensitive customer relationship management (CRM) data. This vulnerability, carrying a Common Vulnerability Scoring System (CVSS) score of 9.4, was uncovered by Noma Labs and involves a sophisticated indirect prompt injection attack.
Understanding the ForcedLeak Vulnerability
The ForcedLeak vulnerability exploits several weaknesses within the Agentforce AI system:
1. Insufficient Context Validation: The AI agent fails to adequately verify the context of the data it processes, making it susceptible to malicious instructions embedded within seemingly legitimate inputs.
2. Overly Permissive AI Model Behavior: The AI’s model lacks stringent controls, allowing it to execute commands without proper authorization checks.
3. Content Security Policy (CSP) Bypass: A critical flaw in Salesforce’s CSP allowed attackers to communicate with untrusted domains, facilitating data exfiltration.
Mechanism of the Attack
The attack is executed through an indirect prompt injection method:
– Malicious Web-to-Lead Submission: Attackers craft a web form submission containing hidden commands within fields like the Description section.
– Processing by AI Agent: When the AI agent processes this lead, it interprets the embedded commands as legitimate instructions due to its inability to distinguish between trusted data and malicious inputs.
– Data Exfiltration: The AI agent then transmits sensitive CRM data to an attacker-controlled domain, exploiting the CSP flaw that whitelisted an expired domain (`my-salesforce-cms.com`) which the attackers had acquired.
Salesforce’s Response and Mitigation Measures
Upon notification from Noma Labs, Salesforce promptly investigated and addressed the issue by:
– Deploying Patches: Implemented fixes to prevent Agentforce agents from sending data to untrusted URLs.
– Re-securing the Expired Domain: Reclaimed control over the previously expired domain to eliminate the attack vector.
– Enhancing Security Controls: Introduced stricter security measures, including Trusted URLs Enforcement for both Agentforce and Einstein AI platforms.
Potential Impact of the Vulnerability
If exploited, the ForcedLeak vulnerability could have led to:
– Exposure of Confidential Information: Unauthorized access to customer contact details, sales pipeline data, internal communications, and historical interaction records.
– Compromised Business Operations: Disruption of sales and marketing processes due to data integrity issues.
– Regulatory Non-Compliance: Potential violations of data protection regulations, leading to legal and financial repercussions.
Recommendations for Salesforce Customers
To safeguard against similar vulnerabilities, Salesforce advises customers to:
1. Apply Recommended Updates: Ensure that all patches enforcing Trusted URLs for Agentforce and Einstein AI are installed.
2. Audit Existing Lead Data: Review current lead data for any suspicious submissions containing unusual instructions or anomalies.
3. Implement Strict Input Validation: Enforce rigorous validation and sanitization of all data from untrusted sources to prevent malicious inputs.
Broader Implications for AI Security
The discovery of ForcedLeak underscores the unique and expanded attack surfaces presented by autonomous AI agents compared to traditional systems. It highlights the necessity for continuous monitoring, robust validation mechanisms, and stringent security policies to protect AI-driven platforms from sophisticated attacks.
Conclusion
The ForcedLeak vulnerability in Salesforce’s Agentforce AI platform serves as a critical reminder of the evolving threats in the realm of artificial intelligence. Organizations must remain vigilant, promptly apply security updates, and adopt comprehensive security strategies to protect sensitive data and maintain trust in AI-powered systems.
