Smashing Security

Salesforce's trusted domain of doom

20 snips
Oct 1, 2025
Paul Ducklin, a veteran cybersecurity expert, delves into a serious flaw in Salesforce's AgentForce, revealing how attackers exploited it for data breaches. They discuss the controversial nature of breach communications, critiquing companies that imply safety too soon. Ducklin also tackles the cultural shift towards 'assume breach' in cybersecurity. The conversation takes a lighter turn with insights on ITV's phone-hacking drama starring David Tennant and a fascinating exploration of the Rosetta Stone, highlighting its historical importance and lessons for collaboration.
Ask episode
AI Snips
Chapters
Books
Transcript
Episode notes
INSIGHT

AI Acts On Stored CRM Content

  • Salesforce AgentForce can be tricked by malicious data stored in ordinary CRM fields and later acted on by autonomous agents.
  • Indirect prompt injection through stored inputs can cause the AI to execute hidden instructions without direct user intent.
ANECDOTE

Researchers Smuggled Instructions Via Lead Form

  • Noma Security injected long instructions into Salesforce Web-to-Lead description fields to poison AgentForce responses.
  • They used the AI to assemble email addresses and exfiltrate them by embedding a crafted image URL parameter.
INSIGHT

Huge Free-Text Fields Increase Risk

  • Large free-text CRM fields (42,000 characters) create attack surface for embedded instructions and data abuse.
  • Autonomous agents will obediently parse and act on that stored text in ways humans might not expect.
Get the Snipd Podcast app to discover more snips from this episode
Get the app