Salesforce Industry Cloud riddled with configuration risks

Data Packs can also become orphaned, for example, if the user creating them presses the cancel button during the process. In this case, their attachments get created and never removed. Worse, they are not listed on the Data Packs inventory page in OmniStudio, making it harder for admins to detect them.

When embedded in an external website, FlexCard or OmniScript components need an access token to access Salesforce. These tokens must be created using an OmniOut app. However, a website’s end-user can inspect the API requests locally in their browsers and extract this token, which can then be misused. Costello recommends that companies use a proxy for communication between external OmniStudio components and Salesforce.

A proxy, however, won’t help when the token itself is embedded in OmniOut code that has been compromised or stored in public version control systems like GitHub. Furthermore, a proxy could introduce risks if it’s poorly configured to forward requests without validation, as users could attempt to tamper with parameters and values.