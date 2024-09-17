Knowledge base articles are packed with useful information. Normally they stay within corporate walls, but due to a lack of updates, more than 1,000 ServiceNow instances allow external, unverified access.

The information in question varies greatly depending on the type of organization and the approach taken to knowledge base articles. Many revolve around internal advice, regularly in the form of an FAQ. Knowledge about internal procedures can be useful to malicious parties in many ways. Consider login procedures that can be hijacked or information that can lend credibility to phishing emails.

Information leak was big

AppOmni research shows that information from these knowledge base (KB) articles on ServiceNow instances is compromising organizations. More than 1,000 ServiceNow instances were exposed to the public Internet due to a configuration error. Although updates from ServiceNow during 2023 severely restricted access for other components, they were not aimed at shielding KB articles. They lacked the “UserIsAuthenticated” attribute required elsewhere on the ServiceNow platform as a requirement.

This allowed public ServiceNow widgets to access data from KB articles without an authentication step. Through a proof-of-concept, AppOmni researchers showed how the data could be stolen. By acting like a potential attacker, the author, short description and full text could be raked in quickly. According to AppOmni, it is possible for malicious actors to attack multiple ServiceNow instances simultaneously.

Advice

To be less at risk, organizations can implement various mitigations. ServiceNow allows a variety of customizations, including Business Rules that can shield KBs from external parties. Security properties for KBs can also be chosen that make retrieval of sensitive data impossible for third parties. Furthermore, diagnostic tests come in handy and implementing the latest ServiceNow updates is highly recommended.

