Salesforce's trusted domain of doom
Smashing Security
Graham Cluley
4.7 ā¢ 579 Ratings
šļø 1 October 2025
ā±ļø 43 minutes
šļø Recording | iTunes | RSS
š§¾ļø Download transcript
Summary
Researchers uncovered a security flaw in Salesforceās shiny new Agentforce. The vulnerability, dubbedĀ "ForcedLeak", let them smuggle AI-read instructions in via humble Web-to-Lead form... and ended up spilling data for the low, low price of five dollars.
And we discuss why data breach communications still default to "we take security seriously" while quietly implying "assume no breach" - until the inevitable walk-back.
Plus, we take a look at ITV's phone-hacking drama with David Tennant, and take a crack at decoding the history of the Rosetta Stone.
Hear all this and more in episode 437 of the "Smashing Security" podcast by cybersecurity veteran Graham Cluley, joined this week by special guest Paul Ducklin.
EPISODE LINKS:
- Harrods suffers new data breach exposing 430,000 customer records - Bleeping Computer.
- CamƩras dissimulƩes : la CNIL sanctionne la Samaritaine - CNIL.
- āTotal internet blackoutā in Afghanistan sparks panic after Taliban vowed to stamp out immoral activities - CNN.
- ForcedLeak: AI Agent risks exposed in Salesforce AgentForce - Noma.
- The Hack - itvX.
- The Hack - YouTube.
- The Rosetta Stone: The Story of the Decoding of Hieroglyphics - Amazon.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
SPONSORS:
- SecAlerts - SecAlerts makes your job easier by matching vulnerabilities to your software, using information as soon as itās released. Use code SMASHING for 50% off a year subscription.
- ANON - Find, monitor and remove data about yourself online. Manage your digital footprint with ease. Use code SMASHING for a 25% discount.
- Vanta - Expand the scope of your security program with market-leading compliance automationā¦ while saving time and money. Smashing Security listeners get $1000 off!
SUPPORT THE SHOW:
Tell your friends and colleagues about āSmashing Securityā, and leave us a review onĀ Apple PodcastsĀ orĀ Podchaser.
Become a supporter viaĀ PatreonĀ orĀ Apple PodcastsĀ for ad-free episodes on our early-release feed!
FOLLOW THE SHOW:
Follow us onĀ BlueskyĀ orĀ Mastodon, or on theĀ Smashing Security subreddit, andĀ visit our websiteĀ for more episodes.
THANKS:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
ENJOYED THE SHOW?
Make sure to check out our sister podcast,Ā "The AI Fix".
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript
Click on a timestamp to play from that location
| 0:00.0 | This particular one has been given a CVS score of 9.4. |
| 0:08.8 | Basically, the industry puts a number on how badly you've cocked things up. |
| 0:12.9 | 9.4 is sort of one step shy of everything's on fire and the sprinklers are broken. |
| 0:18.8 | It's not unplug everything and hide under your desk. |
| 0:21.7 | It's more sort of unplug, with Graham Cluley. |
| 0:45.8 | Hello, hello, and welcome to Smashing Security episode 437. |
| 0:49.3 | My name's Graham Cluelly. |
| 0:50.8 | And I am Paul Ducklid. |
| 0:53.4 | Duck, welcome back. Do you know I had a look through the archives. |
| 0:57.6 | You were our very first guest on the show. |
| 1:01.5 | Hazzar! |
| 1:02.0 | Back in episode 11 in 2017. |
| 1:06.1 | I think Vanya had just quit and we parachuted you in. |
| 1:10.1 | And here you are again. Now, the other ones left. |
| 1:12.7 | Here I am again. Wow, 2017. I thought you were going to say 1974 for a moment, because everything |
| 1:20.8 | before the pandemic now seems to feel like a long time ago. It does, doesn't it? It's like the |
| 1:26.2 | Ice Age. It's probably a good thing. |
| 1:28.8 | So, Duck, for those people who don't know you, what do you do and why might they have heard of you? |
| 1:35.5 | Well, one reason old timers might have heard of me or anyone who runs an antivirus, |
| 1:41.9 | but I think I mean EDR software, has probably downloaded the |
| 1:47.0 | ICAR test file at some time. And on that page, there is a thing that goes blah, blah, blah, blah, |
| 1:52.4 | blah, blah, blah, blah, duclin.html. And that ducklin.html is I. That's right. So I didn't |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from Graham Cluley, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of Graham Cluley and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright Ā© Tapesearch 2026.