Incorrect default configuration on the ServiceNow platform allows data leakage
Information security now!
About a week ago, ServiceNow announced on its support site that misconfigurations of the platform could allow sensitive data to be leaked. The data security flaw in question is a critical concern for organisations using the service, as it can lead to a significant data leak of sensitive company data. The National Cyber Security Centre Finland is aware of cases where this data security flaw has been exploited.
What is this about?
ServiceNow is a platform offered as a service, which is used, for example, for the management and processing of technical support and customer service cases for companies. The service can be considered one of the company's most critical systems, as it often provides access to confidential information, such as details of information systems and personal data.
The security flaw is related to the incorrect default configuration of the small programs (widgets) used in the service. These widgets are used to build the content of the ServiceNow portal, such as forms, lists and tables. ServiceNow offers ready-made widgets that the user can modify according to their own needs. The widget consists of HTML and CSS files as well as server-side and user-side scripts.
More information
- Potential Public List Widget Misconfiguration (External link)
- Data Exposure and ServiceNow: The Elephant in the ITSM Room (External link)
- Simple List widget (External link)
- IP Address Access Control (External link)
- Access Control List Rules (External link)
- Adaptive Authentication (External link)
- Reviewing Transaction Logs for Simple List Widget Activity (vaatii kirjautumisen) (External link)