September 19, 2024 at 10:06AM
Security researchers have found that thousands of companies may be exposing internal knowledge base (KB) articles due to misconfigurations in ServiceNow widgets. The issue arises from “private” pages within “public” KBs, leading to potential data exposure. Researchers estimate that 30-45% of ServiceNow instances are impacted, with implications for data security and access control.
The meeting notes detail the findings of security researchers Aaron Costello and Dan Meged, who identified potential data exposure from internal knowledge base (KB) articles via ServiceNow misconfigurations. They highlighted that pages set to “private” could still be accessed by manipulating the ServiceNow customer’s KB widgets, and estimated that a significant number of ServiceNow customers may have this faulty configuration, unknowingly exposing sensitive information such as first-time-access passwords for new starters connecting to a company VPN.
It was also emphasized that KB articles are different from pages, and the widgets themselves can be set to “private” to avoid exposure. Additionally, certain security controls and User Criteria can mitigate the risk of exposing KB articles to unauthenticated users.
Furthermore, it was noted that both researchers, Costello and Meged, independently discovered the issues and had a dispute over who found the issues first, with conflicting claims about the timing of their research and publications.
The researchers’ findings demonstrate the importance of addressing these ServiceNow misconfigurations to prevent the inadvertent exposure of sensitive information and the potential risk of data breaches.