Over 1,000 ServiceNow Instances Found Leaking Confidential Corporate Data

Recently, researchers uncovered more than 1,000 ServiceNow instances that are leaking confidential corporate data. This leak involves sensitive information such as personal details, system data, and user credentials. These leaks happen due to faulty configurations within the ServiceNow platform.

What is ServiceNow?

ServiceNow is a cloud platform that helps businesses manage their workflows. Companies use it to handle various tasks, including customer service, human resources, and IT management. One important feature is the Knowledge Base. This area holds articles that provide guidance, FAQs, and internal procedures. Many of these articles should only be visible to certain users. Unfortunately, some are accessible to anyone.

The Problem of Misconfiguration

Many organizations do not set up their ServiceNow instances properly. According to Aaron Costello, a key researcher, many of these setups allow unauthorized users to access sensitive data. The settings that control who can see what are often not built correctly. As a result, sensitive articles become public.

In 2023, ServiceNow tried to fix this. They released a security update intended to enhance access controls. However, this update did not cover the Knowledge Base section. That section still relies on older permission settings. Many teams used the User Criteria permission system. This system does not completely protect against unauthorized access.

What Information is at Risk?

The leaked information includes various types of sensitive data. Examples are personally identifiable information (PII), internal system details, and even user credentials. For some organizations, this has serious consequences. When attackers gain access to such data, they can use it for various malicious activities. This might include identity theft or unauthorized access to company resources.

How Attackers Exploit the Vulnerabilities

Attackers can exploit these weaknesses easily. They can use tools to send many requests to a vulnerable ServiceNow endpoint. By guessing the Knowledge Base article numbers, they can find exposed articles. The article IDs are often numbered in order, which makes it simpler to guess. For instance, an attacker can try starting from KB0000001 and continue until they find an article that is open to the public.

The researchers showed how simple it is to access this data. They created a test to demonstrate the risk involved. The proof-of-concept attack displayed that an external actor could reach the ServiceNow instance. This actor could then capture tokens needed for HTTP requests. These tokens allow the actor to access and retrieve articles from the Knowledge Base.

Recommendations for Companies

To protect sensitive articles, companies should take specific actions. First, they must set the correct User Criteria. Articles should have restrictions that prevent all unauthorized users from accessing them. If a company does not need public access to its Knowledge Base, it should disable this option completely. This action reduces the risk of unwanted data exposure.

Next, ServiceNow administrators can activate several security settings to improve protection. These settings include features that automatically deny access to any user, both signed in and not, when no User Criteria are set. They can also enforce rules requiring users to have explicit “Can Read” access for individual articles.

Other recommended settings prevent unauthorized users from seeing drafts or unpublished articles. This feature is crucial because these articles may include sensitive and unreviewed information. By defining roles for users who can view articles in various states, companies can further safeguard their data.

ServiceNow’s Response

In light of these findings, ServiceNow has acknowledged the issue. They reached out to customers to provide detailed guidance. They aim to help customers better configure their Knowledge Bases to meet security needs. The company has started taking proactive measures to enhance security for these instances. ServiceNow actively works with its clients to address any security concerns. This effort ensures that configurations align with the desired security levels.

Conclusion

The discovery of over 1,000 exposed ServiceNow instances highlights a major risk for companies. Sensitive corporate data leaks can have serious effects. Companies must ensure proper configurations for their ServiceNow instances. By following best practices and implementing suggested security features, organizations can protect their valuable information. Each business needs to take this issue seriously and act to secure its data from unwanted access.