ServiceNow’s Data Exposure Announcement

On October 20, ServiceNow quietly patched a data exposure vulnerability that appears to have been in their system since 2015. Security researcher Aaron Costello discovered that Simple List allowed for unauthenticated attackers to expose personal data. The vulnerability lies in the fact that widgets by default set all data to public, so an attacker that knew the details of table and field names could query for any data that they wanted. This oversight came from the fact that a widget lacking an access control list (ACL) would deny by default, but if the ACL was “empty”, then it would default to allow. Any widget that did not have their default ACLs changed would be affected.

ServiceNow attempted to patch this earlier in March, but this protection failed to do much out of the box. Their fix was to not allow access if the ACL was not open to the “Public” role, however, for implementations that did not define that role, an attacker could still get access. Currently ServiceNow is implementing a script to apply new rules to all empty ACLs where access is denied by default. They are still warning users to set ACLs for every widget and review for unnecessary rules that may allow access.

As this issue appears to have existed for quite some time, many records may have been exposed unintentionally. It is important to review transaction logs to determine if your data was accessed. If you want to know more about what kinds of data you store, and what the risk of a breach is, contact us for a demo of Glassportal: demo@glassportal.io