Software

Knowledge base misconfigurations led to data exposure in 1k+ ServiceNow instances

An AppOmni researcher found that sensitive information from organizations such as passwords and access tokens were exposed due to outdated or misconfigured knowledge base access controls.
article cover

Dragon Claws/Getty Images

4 min read

Organizations who use ServiceNow may have inadvertently been an open book to anyone willing to take a peek due to a misconfiguration in their knowledge base access control settings.

According to new research from AppOmni, more than a thousand ServiceNow instances, a term used to describe an organization’s copy of ServiceNow in the cloud, were found to be unknowingly exposing data from their knowledge base, a ServiceNow feature often used for IT and human resources support that enables users to create a repository of information for internal or external use, to the public.

AppOmni Chief of SaaS Security Research Aaron Costello told IT Brew that he discovered the finding after testing over 2,000 instances for data exposures in the past year.

“Some of the examples of data that I’d found which were publicly accessible where things such as documents that describe intricacies of internal computer systems belonging to the organization, credentials such as actual passwords and access tokens that could be used by a malicious person to access other systems belonging to the organization, and in other cases, some minor [personal identifiable information],” Costello said.

In an analysis of the affected instances, Costello found that some of the vulnerabilities were triggered in part by some older organization users of ServiceNow having configurations that allow public access by default and a lack of understanding around user criterias that inexplicably grant access to unauthenticated users.

Déjà vu. Costello’s finding comes nearly a year after he published research on how the default configurations of ServiceNow’s Simple List widget could lead to sensitive information being exposed to unauthorized users. While ServiceNow has taken steps to improve data protection in their products, Costello said that the knowledge base-linked data exposures were able to occur due to the “vast majority” of knowledge bases being secured using user criteria, the ability to group users based on a specified condition, as opposed to an access control list.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

“The fix that they deployed from my previous research only affected certain resources,” said Costello. “[S]ince knowledge bases have a different type of access controls than those other resources, it didn’t…mitigate data exposure problems for the knowledge base.”

In his September blog post detailing his findings, Costello added that certain public widgets did not receive an update from ServiceNow that would prevent them from accessing data without being added to an “allow list.” As a result, bad actors would be able to leverage select widgets to retrieve information from knowledge base articles without being authenticated.

The power lies within. Costello said that organizations can mitigate ServiceNow knowledge base-related data risks by remaining educated on appropriate security properties and their functions.

Costello told IT Brew that it is also “imperative” that organizations “routinely scrutinize” their access controls to ensure that they remain secure amid product updates.

“You could be in a good state today, but tomorrow, you could be at risk of compromise because of wind change,” he said.

Costello’s findings amplify the importance of understanding what your organization is responsible for when it comes to managing different security aspects associated with a product, a principle of the shared responsibility model.

“It’s up to yourselves as an organization to ensure that your access controls are secure and it is not on ServiceNow to do that for you,” Costello said. “That’s the most crucial thing here.”

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

I
B