Major Security Misconfiguration Impacting ServiceNow Instances Discovered


AppOmni Research Indicates That Nearly 70% of Instances Tested Are Leaking Data Through Improper Customer ACL Configurations

San Francisco — March 9, 2022 AppOmni, the leading provider of SaaS Security, has discovered a common ServiceNow Access Control List (ACL) misconfiguration present in nearly 70% of ServiceNow instances tested through AppOmni research. This security issue is defined as a “misconfiguration” resulting from a combination of customer-managed ServiceNow ACL configurations and overprovisioning of permissions to guest users.

These types of misconfigurations are common across major SaaS platforms due to the complexity that inevitably comes with high levels of SaaS functionality, flexibility, and extensibility. Misconfigurations can happen during the initial implementation phase of a SaaS platform, when users or settings change, or as part of the regular cadence of SaaS updates that can impact current configurations. To help organizations quickly discover and take action to correct this misconfiguration, AppOmni has developed the SaaS Security Analyzer, a free web application that will determine if a specific ServiceNow instance has this ACL misconfiguration.

“Securing SaaS is a lot more complicated than just checking a handful of settings or enabling strong authentication for users,said Brendan O’Connor, CEO and co-founder of AppOmni. “SaaS platforms have become business operating systems because they are so flexible and powerful. There are many valid reasons for workloads and applications running on a SaaS platform to communicate externally, such as to integrate with emails and text messages or host a support portal for your customers. SaaS adoption skyrocketed during the pandemic. Unfortunately, investments in people, processes, and technology to secure and monitor SaaS have not kept up. In AppOmni’s experience, significant data exposures like this are far more common than customers realize.”

Organizations have long used Role-Based Access Control (RBAC) to grant permissions for users to access resources on a SaaS platform. One important aspect of RBAC is the ability to allow public access to information within your “database,” which could be a forum, online shop, customer support site, or knowledge base. The challenge is ensuring the right level of access when organizations update or customize SaaS applications or onboard new users. 

AppOmni Offensive Security Researcher Aaron Costello discovered ServiceNow external interfaces exposed to the public that a malicious actor could use to extract data from records. Analysis of ServiceNow instances showed that nearly 70% of those analyzed by AO Labs are leaking sensitive information, including Personal Identifiable Information (PII), to unauthenticated users. More information, including remediation steps, is available in a new AO Labs Technical Paper.

“The AO Labs team is committed to helping organizations build and maintain secure SaaS environments,” said Brian Soby, CTO and co-founder of AppOmni. “The high degree of flexibility in modern SaaS platforms has made misconfiguration one of the largest security risks businesses currently face. Our goal is to shed light on common misconfigurations and other potential risks in SaaS platforms so users can ensure their system posture and configuration matches their business intent. We encourage all ServiceNow users to take advantage of the SaaS Security Analyzer and learn more about how this misconfiguration may impact them.”

Request a free, confidential evaluation of your ServiceNow instance with the SaaS Security Analyzer.

About AppOmni

AppOmni is the leading provider of SaaS Security Management. AppOmni provides unprecedented data access visibility, management, and security of SaaS solutions, enabling organizations to secure mission-critical and sensitive data. AppOmni’s patent-pending technology deeply scans APIs, security controls, and configuration settings to evaluate the current state of SaaS deployments and compare against best practices and business intent. With AppOmni, organizations can establish rules for data access, data sharing, and third-party applications that will be continuously and automatically validated. The company’s leadership team brings expertise and innovation from leading SaaS providers, high tech companies, and cybersecurity vendors. Backed by Salesforce Ventures, ServiceNow Ventures, Scale Venture Partners and more, AppOmni was named a 2021 SINET16 Innovator and one of Dark Reading’s “11 Cybersecurity Vendors to Watch in 2021.”

Media Contacts

Sara Eisenberg
Head of Content Marketing and Communications, AppOmni

Lexie Harkness
Gregory FCA on behalf of AppOmni