5 Things To Know About ServiceNow Data Leak Discovery

A researcher from security vendor AppOmni uncovered more than 1,000 ServiceNow instances that have been exposing Knowledge Base data.

More than 1,000 ServiceNow instances have been discovered to be exposing potentially sensitive Knowledge Base data, according to a researcher from SaaS security vendor AppOmni.

Knowledge Base (KB) data “can be a treasure trove of sensitive internal data intended only for the eyes of an organization’s staff,” wrote Aaron Costello, chief of SaaS security research at AppOmni, in a post Tuesday.

The exposures were largely due to outdated configurations or misconfigurations for access controls, Costello wrote.

What follows are five things to know about the ServiceNow data leak discovery.

Knowledge Base Data

ServiceNow Knowledge Bases are known to often contain data including internal documentation for a company’s staff — with information such as “answers to common problems, IT support requests, high-level system information, data related to HR processes and more,” according to an email comment from AppOmni’s Costello provided to CRN.

“In some cases, it has been found to include more sensitive information such as active credentials that can be used to access other company systems, detailed design documents describing proprietary software, and intricate mappings of the organization's corporate network,” Costello said.

Threat From Exposed Data

If attackers are able to access this data, it can enable them to carry out attacks against other corporate systems, he said.

“These attacks could be immediate in nature, such as stealing the credentials and using them to access database information in other company systems, or long term – gaining and maintaining access to those systems,” Costello said. “They could also provide valuable intel which could lay the groundwork for future attacks.”

Leak Discovery

During the past year, Costello discovered more than 1,000 individual ServiceNow instances that unintentionally exposed KB data, according to his blog. That equates to nearly half of all enterprise instances that he tested over that period.

“In many of these cases, it was observed that organizations that have more than one instance of ServiceNow had consistently misconfigured KB access controls across each one,” Costello wrote.

“This could indicate a systematic misunderstanding of KB access controls or possibly the accidental replication of at least one instance’s poor controls to another through cloning,” he said. “These instances were considered by the affected organizations to be sensitive in nature, such as PII, internal system details, and active credentials / tokens to live production systems.”

Remediation Options

In order to address the configuration issues causing the ServiceNow data exposures, Costello recommended several mitigations.

Most importantly, organizations should “run regular diagnostics on KB access controls to keep security configurations updated, and use Business Rules to deny unauthenticated access to KB content by default,” he wrote in the post Tuesday.

Incidentally, this can include “[taking] advantage of the powerful customization capabilities that ServiceNow is known for,” Costello noted.

ServiceNow Response

In a statement Tuesday, ServiceNow said it is “aware of AppOmni’s blog, which describes the potential for unintended access if customer Knowledge Base (KB) articles are not configured to meet business needs.”

“Several months ago, we contacted customers with detailed guidance on how to address this issue,” the company said in the statement provided to CRN. “In addition, to help protect customers whose KBs may still permit greater access than desired, we began on September 4, 2024, to take proactive action designed to address customers’ KB configurations as appropriate.”