New research released today by software-as-a-service security management startup AppOmni Inc. details how ServiceNow Inc. instances are vulnerable to misconfiguration.

The issue relates to data leaking through improper customer access control list or ACL configurations, with nearly 70% of tested instances having the problem. That ACL is causing the problem is notable because although SaaS product providers have become more security-conscious, role-based access control has remained a consistent method for granting permissions to users, thus provisioning access to resources on a SaaS platform and causing the risk of data exposure.

Similar to the testing AppOmni did on Salesforce Inc., ServiceNow instances were vulnerable, allowing an unauthenticated user to extract data. Further investigation found that the root causes for data exposure are a combination of misconfigured ACLs and overprovisioning of permissions to guest users.

The research explains that an important aspect of role-based access control implementations on SaaS has been providing the public with access to the information within a company’s database. This has largely been to support popular use cases for publicly facing sites — which commonly include forums, online shops, customer support sites and knowledge bases — and other workflows that are externally facing.

That in turn creates an example of conflict between “least privilege” and “least friction” that plays out across cybersecurity. The research states that the failure to follow the concept of least privilege is a consistent issue that AppOmni has identified while working with large organizations leveraging SaaS solutions.

“As organizations introduce further on-platform customizations and onboard new users, we have noticed that these actions often have a direct impact on their security posture,” the release states. “To combat this, the AO Labs team is committed to the discovery and mitigation of novel threat vectors to the most business-critical SaaS platforms before bad actors can take advantage of them and wreak havoc.”

There are several options for ServiceNow and other SaaS users to ascertain whether they’re vulnerable. AppOmni has released a web application called SaaS Security Analyzer to evaluate ServiceNow instances for this particular data exposure.

To use the service requires filling out the form with the AppOmni team beginning the request approval process, including making sure the person making the request is associated with or responsible for the ServiceNow instance. Once that’s approved, the ServiceNow instance is evaluated and the results are then sent through to the requester.

The alternative is to evaluate an instance and remediate it manually. Administrators are advised to perform checks regularly to ensure that access to sensitive information is not being provisioned to external unauthenticated users.

Those checks should include a review of ACLs that are absent of conditional and script-based access evaluation, which have either no role or the public role, assigned to them; a review of user criteria; and a review of resources that can be directly assigned the “public” role to grant access or indirectly made accessible to the public through another mechanism, such as publishing a report.

Image: ServiceNow