ServiceNow is issuing a fix for a flaw that exposes data after a researcher published a method for unauthenticated attackers to steal an organization’s sensitive files.
Security researcher Aaron Costello highlighted apparent issues with the default configurations of ServiceNow’s widgets, allowing for personal data to be exposed.
ServiceNow’s widgets act as powerful APIs for the platform’s Service Portal. Despite a code change earlier this year to improve safety, the default configuration of these widgets was to set their records public, meaning that if they’re left unchanged, they will return the type of data an attacker specifies.
