After a researcher released a technique for unauthenticated attackers to take sensitive files from an organisation, ServiceNow is releasing a remedy for a bug that exposes data.
Aaron Costello, a security researcher, brought attention to obvious problems with ServiceNow’s widget default setups that enable personal information to be shown.
The platform’s Service Portal leverages the potent APIs provided by ServiceNow’s widgets. These widgets were originally configured to make their records public, which means that if they are left unmodified, they would return any kind of data that an attacker demands. This is in contrast to a code update that was made earlier this year to increase security.