
 Smashing Security
 Smashing Security Salesforce's trusted domain of doom
 20 snips 
 Oct 1, 2025  Paul Ducklin, a veteran cybersecurity expert, delves into a serious flaw in Salesforce's AgentForce, revealing how attackers exploited it for data breaches. They discuss the controversial nature of breach communications, critiquing companies that imply safety too soon. Ducklin also tackles the cultural shift towards 'assume breach' in cybersecurity. The conversation takes a lighter turn with insights on ITV's phone-hacking drama starring David Tennant and a fascinating exploration of the Rosetta Stone, highlighting its historical importance and lessons for collaboration. 
 AI Snips 
 Chapters 
 Books 
 Transcript 
 Episode notes 
AI Acts On Stored CRM Content
- Salesforce AgentForce can be tricked by malicious data stored in ordinary CRM fields and later acted on by autonomous agents.
- Indirect prompt injection through stored inputs can cause the AI to execute hidden instructions without direct user intent.
Researchers Smuggled Instructions Via Lead Form
- Noma Security injected long instructions into Salesforce Web-to-Lead description fields to poison AgentForce responses.
- They used the AI to assemble email addresses and exfiltrate them by embedding a crafted image URL parameter.
Huge Free-Text Fields Increase Risk
- Large free-text CRM fields (42,000 characters) create attack surface for embedded instructions and data abuse.
- Autonomous agents will obediently parse and act on that stored text in ways humans might not expect.



