Last month, as part of my independent, ongoing research into SaaS security, I released an article discussing capabilities within the ServiceNow platform that could be leveraged to extract record information while entirely unauthenticated. Prior to doing so, I made a best effort to contact affected organizations that had a public vulnerability program and to make them aware of the risk.
For an organization to be susceptible to this kind of data exfiltration, the following conditions must be met:
- The Simple List or Unordered List widget(s) must be marked as publicly available, which they are by default
- The organization must have misconfigured an ACL, User Criteria, or other access control in a manner that causes the information it is protecting to be publicly available. In some cases, vulnerable ACLs were provided by ServiceNow out of the box (OOB) as part of the Core platform
Once a platform configuration meets all of the above, an unauthenticated attacker can remotely query the widgets with arbitrary table and field names, and subsequently retrieve record data. Organizations who did not further secure certain ServiceNow-provided ACLs were among the worst affected as information on internal users, installed applications, service catalog items, asset items, and CMDB entries were disclosed by default. In total, of all organizations tested against, over 90% were leaking some form of sensitive information.
Within the article, I had made a number of recommendations that organizations could take to both mitigate and prevent this data exposure, and days later ServiceNow addressed this security risk for their customers and rolled out mitigatory measures to all instances.
