Salesforce Flaw Exposes Customer Data in Plain Text

Salesforce’s OmniStudio platform contains a critical vulnerability that exposes sensitive customer data in plain text, according to researchers at AppOmni. The flaw stems from misconfigurations in the platform’s data processing pipeline, where key components like FlexCard and OmniScript bypass standard encryption protocols. This leaves personally identifiable information — such as names, Social Security numbers and payment details — accessible via unsecured API endpoints.

The vulnerability affects versions released between January 2024 and May 2025 and can be exploited using basic HTTP requests, without triggering security monitoring systems. AppOmni found that about 15% of surveyed implementations were impacted, with many organizations unaware of the risk.

The issue results from improper integration of Salesforce’s Shield Platform Encryption, allowing data to be stored and transmitted without adequate protection. Affected sectors include healthcare, finance and retail, raising compliance concerns under GDPR, HIPAA and CCPA. Organizations are urged to audit configurations and apply encryption controls immediately.