ServiceNow leak: thousands of companies at risk

Digital business platform ServiceNow has a data vulnerability that could have compromised its users for years, a cybersecurity expert warns. The company has since tacitly acknowledged the warning, though it neither confirmed nor denied it.

“A potential data exposure issue within ServiceNow's built-in capability has been identified,” said Daniel Miessler, in a post on X, aka Twitter. “This could allow unauthenticated users to extract data from records.”

Miessler appears to have been working off a longer report by fellow cybersecurity researcher Aaron Costello that he linked to from his Twitter thread.

Types of data to have been exposed include names, email addresses, and internal documents, with “thousands of companies” likely affected.

Cybernews reached out to Costello for confirmation of this analysis, and he told us: "From my own testing, this is definitely not a stretch. Around 70% of total instances seem to be affected."

Miessler says the weak link is a misconfiguration in a component or widget in ServiceNow’s system called Simple List, which puts records into tables that are easily readable.

What’s more, the glitch has been around since the Simple List component was created in 2015. As yet, Miessler says that there's no proof that it has been exploited by bad actors, though as Costello himself noted that does not necessarily mean it hasn’t.

“There's been no evidence of exploitation in the wild. However, [...] with this writeup it's likely to be attacked a lot more,” Miessler added dryly.

To mitigate the issue, Miessler urges organizations to implement internet protocol restrictions for inbound traffic, disable public widgets, or beef up their access control lists with a plugin.

Cybernews reached out to ServiceNow for comment and it replied on October 18th, saying it was "aware of the recent publications describing a potential misconfiguration issue."

Though the company did not specifically confirm the reports by Costello and Miessler, it pointed clients to what it described as "official guidance from ServiceNow" allowing them “to evaluate whether additional steps are needed to further secure their instances.”

It added: "We proactively work with customers on the ongoing safety of their security configurations, including Access Control Lists (ACLs), to ensure they are properly structured and aligned to their intended purpose. We make these protocols extensible so our customers can configure them based on their unique security needs - from companies with public portals providing broad access to information to enterprise-specific use cases where access is restricted to select users."

ServiceNow said it would “continue to work closely with customers to ensure that their ACL protocols were aligned with their specific intent and purposes.”

More from Cybernews:

X becomes first platform to be fined under Australia’s Online Safety Act

First supernova detected and described entirely by bot

YouTube is cracking down on adblock users: pay or disable

IoT lacking the global standards it needs to progress

Israeli security data for sale at $15,000 – report

Subscribe to our newsletter


Racine Faye
prefix 8 months ago
This widget is public however how would you even get to this widget that is not on any public pages OOB? This seems like a scare tactic to me. The table would need to be publicly accessible as well as you getting to the widget somehow without it being on a page.
Leave a Reply

Your email address will not be published. Required fields are markedmarked