ServiceNow silently fixes bug from 2015 that enabled data leaks

Sicherheit (Pexels, allgemeine Nutzung)[German]The US company ServiceNow Inc. offers a cloud platform in whose software there has been a gaping bug since 2015 that allowed third parties to siphon off information without authentication. After a security researcher discovered the vulnerability, it was quietly eliminated in the cloud solution.


Who is ServiceNow?

I was not familiar with the provider in this way, but the company seems to have a presence in Germany. ServiceNow Inc. is a US technology company based in Santa Clara, California. The company offers a cloud computing platform that enables companies to replace manual ways of working with digital ones, according to Wikipedia.

Vulnerability closed silently

ServiceNow offers widgets that act as powerful APIs for the platform's service portal. This allows information to be accessed via mobile device. In early 2023, there was a code change to improve security. But despite these changes, the default configurations of the ServiceNow widgets were set so that the records retrieved were public. That meant unauthorized third parties could retrieve data without having to authenticate. The Register points this out in this article.

ServiceNow fixes information disclosure bug

Security researcher Aaron Costello pointed out these obvious problems with the default widget configurations in this post, showing ServiceNow that the vulnerability can expose personal data. After the security researcher published a method for unauthenticated attackers to steal a company's sensitive files, ServiceNow had to respond. According to The Register, ServiceNow has now issued a fix for the vulnerability as of Oct. 20, 2023.

Before ServiceNow quietly issued a fix, the company told The Register that it was aware of the issue, which described "a potential misconfiguration issue." However, ServiceNow indicated that they would be making changes (probably to the access lists, ACL). With the fix, those ACLs now appear to be set so that no information can be retrieved from an organization's dataset without authentication.


The bug is said to have existed since 2015. Whether the bug has been exploited is unknown. For users from the EU, the unpleasant situation now arises that, with knowledge of the security gap, they would have to check whether unauthorized access has taken place. In the positive case, a report to the data protection supervisory authority is then due. Do any of you use this SaaS platform?

Cookies helps to fund this blog: Cookie settings


This entry was posted in Cloud, Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *