Share this article on:
A potential vulnerability in ServiceNow that could have left user data exposed for as long as eight years has been discovered by a cyber security expert.
Information security specialist Daniel Miessler posted on social media saying that a “potential data exposure issue” in the digital workflow management platform could have user data available for unauthenticated users to see.
🪳👀🚨DEVELOPING: A potential data exposure issue within ServiceNow's built-in capability has been identified. This could allow unauthenticated users to extract data from records. pic.twitter.com/P26Rx8ajuA
— ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ ☕️ (@DanielMiessler) October 16, 2023
Miessler said the issue, which could have been around since 2015, is due to a misconfiguration in the Simple List widget in ServiceNow’s system, a tool that allows for records to be viewed in easily readable tables.
“Their access control is not governed by ACLs, making them potentially overlooked during routine checks for public ACLs on non-record components,” Miessler continued.
The issue is likely to have exposed data from thousands of organisations, with information including names, email addresses, internal documents, incident details and attachment names potentially compromised, according to a colleague of Miessler.
Miessler said ServiceNow attempted to make Simple List more secure in March this year by modifying the JavaScript code, but the flaw still exists.
“The potential for data exposure still exists, especially for large-scale SaaS platforms that have any concept of public access to data,” he said.
Fellow researcher and cyber expert Aaron Costello has said that this is only proof that the vendor is aware of the issue.
At this stage, there is no indication that the exposed data has been used by threat actors; however, there is no conclusive evidence to say that it hasn’t been used maliciously either.
“There’s been no evidence of exploitation in the wild. However, [...] with this write-up, it’s likely to be attacked a lot more,” Miessler warned.
Miessler has advised that organisations can implement a number of security measures to mitigate the vulnerability and keep their data safe, including disabling public widgets, setting IP restrictions and securing ACLs.
To mitigate this issue, organizations can implement
— ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ ☕️ (@DanielMiessler) October 16, 2023
- IP restrictions for inbound traffic,
- disable public widgets, or
- secure ACLs with a role/explicit roles plugin. pic.twitter.com/wv7csufrgU
For additional information on how to identify the issue and any attempts at exploitation, as well as a technical write-up of the vulnerability, head to Aaron Costello’s blog.