Masked (encrypted) catalog item variable values do not seem to be really encrypted ???

Go to solution
Valon Sheremeti
Kilo Guru

‎10-01-2018 08:37 AM

Hi all.

I'm a bit puzzled.

I've been using masked type variable in my catalog item for capturing SSN value.

Per ServiceNow documentation "Since a masked variable uses platform encryption using TripleDES, the values for this variable are also encrypted"

However, my experience is different. When I impersonate an ITIL user and when I go to "sc_item_option_mtom" table list view I am able to see un-encrypted variable values.

Am I missing something?

 

find_real_file.png

Preview file
100 KB
  • 4,108 Views
1 ACCEPTED SOLUTION

Go to solution
Valon Sheremeti
Kilo Guru

‎10-17-2018 06:01 AM

I have upgraded my instance to London and this issue seems to be ongoing.

I am able to see un-encrypted masked variable value in "value" field  of  "sc_item_option" table.

I hope this vulnerability will be addressed soon.

 

find_real_file.png

 

View solution in original post

Preview file
18 KB
0 Helpfuls
5 REPLIES 5

Go to solution
SNOW46
Tera Contributor
In response to Hitoshi Ozawa

‎06-20-2023 07:17 AM

hi,

But still on the RITM record, the variable is not getting encrypted.

 

THanks

0 Helpfuls