The Register: Prompt injection – and a $5 domain – trick Salesforce Agentforce into leaking sales

Sep 26, 2025

—

Source URL: https://www.theregister.com/2025/09/26/salesforce_agentforce_forceleak_attack/
Source: The Register
Title: Prompt injection – and a $5 domain – trick Salesforce Agentforce into leaking sales

Feedly Summary: More fun with AI agents and their security holes
A now-fixed flaw in Salesforce’s Agentforce could have allowed external attackers to steal sensitive customer data via prompt injection, according to security researchers who published a proof-of-concept attack on Thursday. They were aided by an expired trusted domain that they were able to buy for a measly five bucks.…

AI Summary and Description: Yes

Summary: The text highlights a security vulnerability in Salesforce’s Agentforce that could have enabled external attackers to execute prompt injection attacks, risking sensitive customer data. Researchers have provided a proof-of-concept for this flaw, emphasizing the ongoing challenges in securing AI agents against such threats.

Detailed Description:
The article discusses a serious security flaw discovered in Salesforce’s Agentforce, which is notable for professionals concerned with AI Security. This incident illustrates the vulnerabilities that can exist within AI systems and the potential consequences of overlooked security measures. Key points include:

– **Vulnerability Nature**: The flaw related to prompt injection, a method allowing unauthorized input to manipulate the AI’s responses, raising concerns regarding how AI agents handle and validate user input.

– **Potential Impact**: Sensitive customer data was at risk, indicating the depth of damage that could result from exploits of this nature. Such breaches not only jeopardize data privacy but also erode trust in the platform.

– **Method of Exploitation**: Attackers were able to leverage an expired trusted domain, purchased cheaply, to execute the attack, showcasing how inexpensive or readily available tools can facilitate significant security breaches.

– **Response to Vulnerability**: The fact that the flaw was subsequently fixed demonstrates the necessity for continuous monitoring, patching, and improvement of security practices within AI deployments.

Implications for security and compliance professionals include:

– **Need for Robust Input Validation**: This incident underscores the importance of rigorously validating and sanitizing inputs to AI systems to prevent unauthorized exploitation.

– **Awareness of Supply Chain Risks**: The use of expired domains highlights potential vulnerabilities in domain management and supply chain security.

– **Adopting Zero Trust Principles**: Implementing a zero-trust architecture could help mitigate risks by enforcing strict identity verification and access controls, even within systems that users may perceive as secure.

The overall message reinforces the ongoing challenges faced in securing AI systems amid evolving threats, making it crucial for security professionals to remain vigilant and proactive in their strategies.

2 2025 5 a access access control access controls Act age agent Agentforce agents AI AI security AI systems All allow and Arch architecture art as at ated attack attacker attackers attacks aware awareness Bi breach breaches by C CERN chain chain risk chain risks challenge challenges CI CIA co compliance compliance professionals concept concerns continuous continuous monitoring control controls core custom Customer customer data D data data privacy day de demo deployment deployments depth domain domain management domains e event evolving threats exp exploit Exploitation exploits External face fact for g Gen GIS Go H heap high Highlight HR http HTTPS identity identity verification impact implications implications for security in incident Inforce injection injection attacks input validation io ite J k Key l law led Li low M making man management measures mid Monitor monitoring N NGO no NPU o of on only ons opt over Patch patching per platform point potential practices pre principles privacy pro proactive professionals prompt prompt injection attack prompt injection attacks prompt-injection proof proof-of-concept ps Q R rag raising rate RCE re red research researchers response responses Risk risks Ro Rust s sales Salesforce SD search sec secure security security and compliance security breach security breaches Security Flaw security measure security measures security practices security professionals Security Research Security Researcher security researchers security vulnerability sequence Sig source SSE strategies supply supply chain supply chain risks supply chain security system systems T ted text the threat threats to tool tools Tor TP trust trust architecture trust principles UN under up US use user Users uth V val Valid Validation verification vulnerabilities vulnerability Ware Wi x z zero Zero Trust zero-trust principles