- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 02-25-2021 11:30 PM
tldr; on October 8th, 2020 a critical security issue related to the "Help the Help Desk" feature was fixed.
This issue was exposing the SOAP credentials that have been configured to be used with HTHD to anyone who would have accessed the (public available) config file at /HelpTheHelpDesk.jsdbx
I couldn't find a matching topic but this is related to the "Help the Help Desk" (HTHD) feature and a security issue related to the same.
As I also wasn't able to find any knowledge about this in the community yet, I am creating this post just to get some insights if anyone else is aware of this.
On August 15th, 2020 a Security Researcher discovered a quite big issue with ServiceNows "Help the Help Desk" tool and it's default configuration.
The issues was fixed with a patch released on October 8th, 2020 so there shouldn't be any issue any longer..
The credentials that have been used for the HTHD SOAP connection where exposed to any person who could access the JavaScript file at https://<yourinstance>.servicenow.com/HelpTheHelpDesk.jsdbx.
(In case you are not using IP Address Access Controls, it could be still accessed by unauthenticated user)
The properties that actually store the credentials are glide.hthd.http.username & glide.hthd.http.password
According to my understanding this credentials got automatically copied into the mentioned config file and from that point anyone could have used it to login to the affected instance.
Unfortunately there is not official communication by ServiceNow regarding this so I assume that the issue is persisting since the very early releases..
My information is based on the blog post of Jordan Potti and I got the confirmation by ServiceNow within a HI-Case
Are you using the HTHD feature and did you receive any further information about this?