app-omni-labs-logo

ServiceNow ACL Misconfiguration Assessment

The AO Labs team is committed to the discovery and mitigation of novel threat vectors to the most business-critical SaaS platforms before bad actors strike. We often discover insecure configurations that can lead to inadvertent data exposures.

As part of our regular, proactive security reviews of the SaaS applications we support, AppOmni Offensive Security Researcher Aaron Costello discovered a common misconfiguration impacting ServiceNow customers: ServiceNow external interfaces exposed to the public that may inadvertently expose sensitive personal information.

This research and analysis highlighted that close to 70 percent of ServiceNow instances we evaluated are prone to data exposure, including Personal Identifiable Information (PII), to unauthenticated users. The root causes for data exposure are a combination of ServiceNow Access Control List (ACL) configurations and over provisioning of permissions to guest users – both of which are managed by customers, not ServiceNow. 

You can find additional details about this misconfiguration in our technical paper:

AppOmni Research Discovers Major Security Misconfiguration Impacting ServiceNow and Other SaaS Instances

Check Your Configurations

AppOmni has developed a web application, the SaaS Security Analyzer, to evaluate ServiceNow instances for public data exposure. To take advantage of this offering, simply fill out the form and our team will begin the request approval process. This process includes confirming that you are associated with the ServiceNow instance in your request. Once approved, we will evaluate your ServiceNow instance and notify you promptly of the results. No data is exposed in this evaluation. 

Results will be disclosed only to the individual requestor through secure channels.

Disclaimer: AppOmni’s SaaS Security Analyzer evaluates a limited subset of the ServiceNow data that may be publicly available. For a more detailed evaluation of your ServiceNow posture and potential risk, please request an AppOmni Risk Assessment.

A free, comprehensive AppOmni Risk Assessment analyzes your entire ServiceNow instance. After the Risk Assessment, you’ll receive an AppOmni ServiceNow findings report with information on: 

  • Publicly-exposed data
  • Data with limited or no restrictions
  • External users with over-privileged access to data
  • Over-provisioned admin users/roles
  • 3rd-party applications connected to your ServiceNow instance
  • Security configurations that don’t adhere to best practices 

If you’re interested in learning more or have questions about the SaaS Security Analyzer, please email [email protected] and we’ll get in touch with you.

Request your ServiceNow ACL Misconfiguration Assessment






AppOmni is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. By submitting this form, you consent to AppOmni contacting you for this purpose.

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow AppOmni to store and process the personal information submitted above to provide you the content requested.

Featured Blogs

How Log4j May Impact Your SaaS & 3rd-Party Apps - & What You Can Do

Log4j is a critical vulnerability in a widely-used software that can have far-reaching and costly impacts. One of AppOmni’s core values is to build trust with transparency…

Three Ways Resellers Can Lead the Way in SaaS Security

Gartner projects a $20B increase in SaaS spend for 2021 and 2022. With that, security has never been more crucial. For resellers, there are huge opportunities to lead…

OWASP Top 10 for 2021, with Broken Access Control Now #1

OWASP recently released the 2021 Top 10 web application security threats. It’s the first update since 2017 and two things jumped out at us…