Security researchers say thousands of companies are potentially leaking secrets from their internal knowledge base (KB) articles via ServiceNow misconfigurations.
ServiceNow Customer KB Data Leak! IGEL Disrupt messages! Windows Registry Changes!
Aaron Costello and Dan Meged, of security shops AppOmni and Adaptive Shield, respectively, separately published their findings this week, concluding that pages set to "private" could still be read by tinkering with a ServiceNow customer's KB widgets.
These widgets are essentially containers of information used to construct the pages of KB articles. These may include page elements that allow users to provide feedback on articles, either through star ratings or comments, for example.
In cases where an organization's KB is set to "public" but the pages within it are set to "private", each KB article can be read via ServiceNow's widgets.