ServiceNow Data Leak: Risks of Misconfigured Knowledge Bases

The ServiceNow Knowledge Base (KB) leak exposed sensitive corporate data from over 1,000 instances of the platform, largely due to misconfigured access controls. These KBs, used to store critical corporate data like PII, system credentials, and internal processes, were inadvertently exposed, giving unauthorized users access via public widgets. This widespread misconfiguration highlights ongoing issues with securing SaaS platforms and reinforces the need for stronger access controls and proper configuration management to prevent future breaches.

1. What Happened?

Over 1,000 individual ServiceNow instances were found to have unintentionally exposed Knowledge Base articles, allowing unauthorized users to access sensitive information. These articles, designed to store internal documentation such as login procedures, HR processes, and system credentials, were left open to public access due to a combination of misconfigured ACLs and ineffective User Criteria settings. The exposure was discovered through extensive research and testing by AppOmni, who identified flaws in the way KB access controls were applied.

2. Why Did This Happen?

The exposure’s root cause lies in how Access Control Lists (ACLs) and User Criteria are applied to ServiceNow’s KB articles. The UserIsAuthenticated attribute, which ensures that only verified users can access internal resources, was not applied to KB articles by default. This allowed public widgets to access KB content without authentication, making them vulnerable to unauthorized access.

There are two key reasons why this misconfiguration persisted:

1. Public Widgets: These widgets were not included in the 2023 security updates, which applied more stringent access controls to other parts of the ServiceNow platform but exposed KB articles.
2. User Criteria Misuse: Many organizations relied on User Criteria instead of ACLs to secure their KB articles. However, User Criteria is less effective in this case because it doesn’t benefit from the UserIsAuthenticated security attribute. Additionally, improper use of “Any User” or “Guest User” criteria accidentally allowed unauthenticated access.

3. How Did Attackers Exploit This?

AppOmni’s research demonstrated how unauthenticated actors could exploit the vulnerability through a proof-of-concept (PoC) attack. Attackers could leverage Burp Suite to brute-force the incremental KB article IDs (formatted as KBXXXXXXX) and retrieve article content. This method allowed attackers to exfiltrate sensitive data such as:

• Short descriptions
• Full text of articles
• Author information
• Category of the KB article

This rapid data retrieval method allowed attackers to target multiple ServiceNow instances simultaneously, increasing the potential scale of the breach.

4. Who Was Affected?

The leak impacted over 1,000 organizations using ServiceNow, spanning healthcare, finance, government, and technology industries. Many of these companies rely on third-party vendors to manage their ServiceNow configurations, further complicating the security landscape. Organizations with multiple ServiceNow instances were particularly vulnerable, as misconfigurations in one instance were often cloned to others, multiplying the risk.

In some cases, the exposed data included personally identifiable information (PII), login credentials, and even access tokens for live systems. Such sensitive data being exposed can lead to both immediate attacks and long-term exploitation.​

5. When Was It Discovered?

The vulnerability was first discovered in April 2023 and continued to affect ServiceNow instances into September 2024. The exposure persisted despite ServiceNow’s efforts to update security configurations in 2023, as these updates did not fully address the KB article exposure problem.

6. How Can It Be Fixed?

Organizations can take several measures to mitigate the risk and protect their KB articles from unauthorized access:

1. Regular Diagnostics: Organizations should conduct regular audits of their KB access controls to ensure proper configurations and restrict access to authenticated users.
2. Leverage Business Rules: ServiceNow’s Business Rules can be customized to block unauthorized access to sensitive articles by default, ensuring that only verified users can access important internal data.
3. Security Properties: Configuring the security properties for KB articles to restrict retrieval of sensitive information from third-party users is critical. Properties like glide.knowman.block_access_with_no_user_criteria can prevent unauthorized access.
4. User Authentication: Applying the UserIsAuthenticated attribute to all KB articles can enforce strict authentication requirements before data is accessed.

In response to this issue, ServiceNow started proactively contacting customers to guide them on securing their KBs. The company also began enforcing tighter configurations for KB articles starting in September 2024

The Importance of Third-Party Vendors in ServiceNow Data Breaches

The participation of third-party vendors is a key element in the ServiceNow data breach. Numerous businesses depend on outside contractors to oversee their ServiceNow systems, highlighting the importance of these third-party entities adhering to strict security protocols. Despite ServiceNow offering strong tools and controls, leaks often occur due to third-party management failures.

Companies should pay careful attention to their third-party vendors for a reason.

Misconfigurations from Suppliers:

Third-party vendors responsible for handling platforms such as ServiceNow may not consistently follow the required security settings. This event underscores the dangers of incorrect implementation of Access Control Lists (ACLs) and user criteria, leading to the exposure of sensitive Knowledge Base (KB) articles.

Third-Party Risk Management (TPRM)

TPRM is vital for companies to have a robust framework in place for regularly auditing vendors and ensuring they adhere to security best practices. In the absence of this monitoring, a minor misconfiguration could result in significant data breaches.

Responsibility:

While third-party vendors manage the daily tasks of platforms such as ServiceNow, it is the company that holds the final accountability for the security of data. It is important for them to make sure that vendors are applying security patches, reviewing access controls, and addressing vulnerabilities quickly.

By enhancing supervision of third parties and implementing rigorous security measures, companies can enhance the safeguarding of their systems and data from comparable incidents.

Conclusion

The ServiceNow Knowledge Base exposure serves as a stark reminder of the importance of rigorous access controls and the dangers of misconfigurations in cloud-based platforms. Organizations must regularly audit their systems, apply stronger authentication methods, and ensure that both ACLs and User Criteria are properly configured to protect sensitive data. By taking these precautions, businesses can safeguard their internal knowledge and reduce the risk of data breaches.

For more details on the vulnerability and its implications, read AppOmni’s research here.