December 9, 2023

Research release from SaaS security management startup AppOmni, details  about instances that are vulnerable to misconfiguration in ServiceNow

The issue is about leakage of data through improper customer ACL configurations, with nearly 70% of instances that are subjected to testing has the issue . Though its security-conscious, role-based access control has remained a consistent method for granting permissions to users, thus provisioning access to resources on a SaaS platform and causing the risk of data exposure. The root causes for data exposure are a combination of misconfigured ACLs and over provisioning of permissions to guest users.


An aspect of role-based access control implementations on SaaS has been providing the public with access to the information within a company’s database has been explained in the research . This has largely been to support popular use cases for publicly facing sites  which commonly include forums, online shops, customer support sites and knowledge bases  and other workflows that are externally facing.

This creates a conflict between “least privilege” and “least friction” that plays out across cybersecurity. The research states that the failure to follow the concept of least privilege is a consistent issue with large organizations leveraging SaaS solutions.

There are several options for ServiceNow and other SaaS users to ascertain whether they’re vulnerable. Researchers has released a web application called SaaS Security Analyzer to evaluate ServiceNow instances for this data exposure.

To use the service requires filling out the form with the AppOmni team beginning the request approval process, including making sure the person making the request is associated with or responsible for the ServiceNow instance. Once that’s approved, the ServiceNow instance is evaluated, and the results are then sent through to the requester.


The alternative is to evaluate an instance and remediate it manually. Administrators are advised to perform checks regularly to ensure that access to sensitive information is not being provisioned to external unauthenticated users.

Those checks should include a review of ACLs that are absent of conditional and script-based access evaluation, which have either no role or the public role, assigned to them; a review of user criteria; and a review of resources that can be directly assigned the “public” role to grant access or indirectly made accessible to the public through another mechanism,.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.