For example, a data packet can also be orphaned, for example, if the user created the user presses the cancel button during the process. In this case, their attachments will be created and never deleted. Worse, they are not listed on Omnistudio’s Packet Inventory page, so it’s hard for administrators to detect them.
When embedded in an external website, the FlexCard or Omniscript component requires an access token to access Salesforce. These tokens must be created using the Omniout application. However, the end user of the website can check the API request locally in their browser and extract this token, which can then be abused. Costello recommends that companies use agents to communicate between external integrated components and Salesforce.
However, when the token itself is embedded in a public version control system like github, the agent is helpless. Furthermore, if the agent is configured poorly to forward the request without verification, risks can be introduced as the user can try to tamper with the parameters and values.
