ServiceNow Discloses Breach Exposing Customer Data

ServiceNow is warning customers through a support bulletin about a security incident after hackers exploited an unauthenticated access flaw through a vulnerable API endpoint, allowing them to query data from customer instances.

Bleeping Compiter has the details here:  https://www.bleepingcomputer.com/news/security/servicenow-discloses-security-incident-exposing-customer-data/

Dan Moore, Sr. Director CIAM Strategy at cybersecurity company FusionAuth, provided the following comments:

“Everyone’s calling this an unauthenticated API vulnerability. The attacker bypassed the authentication because there wasn’t any. The endpoint, which lets you create related lists to show up on ServiceNow forms, apparently had its authentication check default to off. It’s unclear how long this has been exposed.

A one-line smoke test “hit the endpoint with no credentials, expect a rejection” catches this. Nobody wrote the test, because the platform treated ‘no auth’ as valid configuration for a sensitive endpoint. When authentication is something you toggle per endpoint instead of a default the platform enforces, an exposed endpoint isn’t a bug the system rejects. It’s a setting someone forgot to change.

If you manage an application with an API, does an endpoint with no auth fail your build, or does it just ship?”

It should not ship. But that is now how the universe sees things. Maybe the universe should change.

Leave a Reply

Discover more from The IT Nerd

Subscribe now to keep reading and get access to the full archive.

Continue reading