Misconfigured access controls expose sensitive data on Oracle NetSuite websites

16-August-24

A new report out today from software-as-a-service security management company AppOmni Inc. is warning of an issue in Oracle NetSuite’s SuiteCommerce platform that could allow attackers to access sensitive data thanks to misconfigured access controls on custom record types.



NetSuite, owned by Oracle Corp. since 2016, is a popular SaaS enterprise resource planning platform. One of its most popular features is its ability to deploy an external-facing store using SuiteCommerce or SiteBuilder. The sites are deployed on a subdomain on the NetSuite tenant and can allow unauthenticated customers to browse, register and purchase products directly from a business.



If that sounds all well and good, in comes the security issue uncovered by Aaron Costello, chief of SaaS security research at AppOmni, one that could allow unauthenticated bad actors to steal records from organizations that have a public site.



The vulnerability, already found in thousands of live public SuiteCommerce websites and spanning various types of organizations, relates to the improper configuration of access controls within the platform’s custom record types. CRTs are often used to store critical data related to customers, orders and other business operations, but when improperly configured, can inadvertently expose sensitive information, such as customer addresses, phone numbers and order histories, to unauthorized users.



The NetSuite flaw poses a significant risk, particularly for small to medium-sized businesses that lack the resources to promptly identify and remediate vulnerabilities.



As noted by Costello, in some cases, the exposed data can be accessed through simple URL manipulation or by bypassing weak authentication mechanisms. The ability to do so makes it an attractive target for cybercriminals seeking to harvest personal data for fraudulent activities.



NetSuite has acknowledged the issue and is currently working on a fix. The company has also urged all SuiteCommerce users to review their security settings and implement recommended best practices to secure their CRTs against unauthorized access.



Though Cisco and NetSuite are making the right move in responding to the issue, the report notes that as more organizations move their operations online, vulnerabilities like this could become increasingly common, particularly in complex, customizable platforms such as SuiteCommerce. Businesses that rely heavily on these platforms must remain vigilant, regularly auditing their security configurations and staying informed about potential risks, Costello said. “Many organizations are struggling to implement and maintain a robust SaaS security program."

Read More…