Masked (encrypted) catalog item variable values do not seem to be really encrypted ???

Valon Sheremeti · ‎10-01-2018

Hi all.

I'm a bit puzzled.

I've been using masked type variable in my catalog item for capturing SSN value.

Per ServiceNow documentation "Since a masked variable uses platform encryption using TripleDES, the values for this variable are also encrypted"

However, my experience is different. When I impersonate an ITIL user and when I go to "sc_item_option_mtom" table list view I am able to see un-encrypted variable values.

Am I missing something?

Valon Sheremeti · ‎10-17-2018

I have upgraded my instance to London and this issue seems to be ongoing.

I am able to see un-encrypted masked variable value in "value" field of "sc_item_option" table.

I hope this vulnerability will be addressed soon.

View solution in original post

SanjivMeher · ‎10-04-2018

If that's true, that's a security bug

Please mark this response as correct or helpful if it assisted you with your question.

Valon Sheremeti · ‎10-17-2018

I have upgraded my instance to London and this issue seems to be ongoing.

I am able to see un-encrypted masked variable value in "value" field of "sc_item_option" table.

I hope this vulnerability will be addressed soon.

Reyes · ‎09-25-2019

in the mask variable's type specification, you will need to enable encryption

https://docs.servicenow.com/bundle/newyork-it-service-management/page/product/service-catalog-manage...

Hitoshi Ozawa · ‎09-04-2020

Old thread but for everybody who may come across this thread, open up the variable page, select "Type Specification" tab and check "Use encryption". Default is unchecked so text is stored a clear text.