[German]The US company ServiceNow Inc. offers a cloud platform in whose software there has been a gaping bug since 2015 that allowed third parties to siphon off information without authentication. After a security researcher discovered the vulnerability, it was quietly eliminated in the cloud solution.
Who is ServiceNow?
I was not familiar with the provider in this way, but the company seems to have a presence in Germany. ServiceNow Inc. is a US technology company based in Santa Clara, California. The company offers a cloud computing platform that enables companies to replace manual ways of working with digital ones, according to Wikipedia.
Vulnerability closed silently
ServiceNow offers widgets that act as powerful APIs for the platform's service portal. This allows information to be accessed via mobile device. In early 2023, there was a code change to improve security. But despite these changes, the default configurations of the ServiceNow widgets were set so that the records retrieved were public. That meant unauthorized third parties could retrieve data without having to authenticate. The Register points this out in this article.
Security researcher Aaron Costello pointed out these obvious problems with the default widget configurations in this post, showing ServiceNow that the vulnerability can expose personal data. After the security researcher published a method for unauthenticated attackers to steal a company's sensitive files, ServiceNow had to respond. According to The Register, ServiceNow has now issued a fix for the vulnerability as of Oct. 20, 2023.
Before ServiceNow quietly issued a fix, the company told The Register that it was aware of the issue, which described "a potential misconfiguration issue." However, ServiceNow indicated that they would be making changes (probably to the access lists, ACL). With the fix, those ACLs now appear to be set so that no information can be retrieved from an organization's dataset without authentication.
The bug is said to have existed since 2015. Whether the bug has been exploited is unknown. For users from the EU, the unpleasant situation now arises that, with knowledge of the security gap, they would have to check whether unauthorized access has taken place. In the positive case, a report to the data protection supervisory authority is then due. Do any of you use this SaaS platform?
Cookies helps to fund this blog: Cookie settings