ServiceNow Patches Software Bug That Exposed Customer Data to the Internet

Key Takeaways

• Software Bug Enabled Unauthorized Access: A vulnerability in certain ServiceNow customer instances allowed unauthenticated users to access data without credentials.
• Researchers Discovered the Issue: ServiceNow said the activity associated with the vulnerability came from security researchers and customer security teams rather than malicious actors.
• Patch Deployed on June 5: The company issued fixes to affected customer instances after identifying the flaw.
• Scope Remains Unclear: ServiceNow has not disclosed how many customers were affected and has not confirmed whether versions beyond its Australia releases were impacted.
• No Evidence of Malicious Use Reported: According to ServiceNow, researchers stated that data was not retained or used beyond vulnerability testing activities.

Deep Dive

A software flaw in ServiceNow's cloud platform allowed unauthorized access to customer data stored in certain enterprise environments, prompting the company to issue a patch and notify affected customers after security researchers uncovered the vulnerability. The issue involved a bug that enabled unauthenticated users to access data in some customer instances without providing credentials. According to a ServiceNow article shared publicly on Reddit by users after being placed behind a customer login wall, the company deployed fixes on June 5 to address a flaw that allowed users to gain greater access to ServiceNow-hosted data than intended.

ServiceNow characterized the incident as a security vulnerability rather than a cyberattack. The company said evidence of access originated from security researchers participating in vulnerability research rather than from malicious actors.

"Alongside our own investigation, we have been in contact with the security researchers who initially reported this issue and can confirm that evidence of the observed activity came from those security researchers and customer research teams, not bad actors," ServiceNow spokesperson Courtney Johnson told TechCrunch. "The security researchers have advised their activity was solely for bug bounty submissions and no data was used or retained."

The company did not identify the researchers involved and declined to disclose how many customers may have been affected by the issue, according to TechCrunch. Because the vulnerability stemmed from a software defect rather than a configuration error publicly attributed to customers, it remains unclear whether organizations using the platform could have taken independent measures to prevent exposure before the patch was issued.

ServiceNow is one of the world's largest enterprise workflow and cloud platform providers, serving thousands of organizations that use its software to automate internal business processes. The platform is widely integrated with corporate IT, human resources, customer support, and operational systems, often handling large volumes of sensitive business information.

That concentration of data makes enterprise workflow platforms attractive targets for security researchers and cybercriminals alike. Customer support records, IT service tickets, and workflow data can sometimes contain passwords, authentication keys, credentials, and other sensitive operational information.

The company said the vulnerability affected customer instances running its Australia software releases. However, discussion among users on Reddit suggested that signs of external access may have appeared in instances operating on other versions of the platform, raising questions about the potential scope of the issue. ServiceNow has not publicly confirmed whether releases outside the Australia version family were affected.

The company has not indicated that customer data was misused or retained by unauthorized parties. Its statements emphasized that the observed activity was linked to security research conducted as part of responsible vulnerability disclosure efforts.

The incident nevertheless is a great example of the security challenges facing major cloud software providers whose platforms serve as repositories for critical enterprise information. Even in cases where vulnerabilities are discovered by researchers rather than attackers, software flaws that permit unauthenticated access can create significant concerns for organizations that rely on cloud services to manage sensitive operational data.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.