Thousands of Oracle NetSuite ERP websites discovered leaking personal customer data
Researchers have discovered a vulnerability in Oracle NetSuite’s SuiteCommerce e-commerce platform that could allow attackers to steal sensitive data from websites.
A report from AppOmni revealed that the vulnerability stems from misconfigured access controls in SuiteCommerce instances, specifically within custom record types (CRTs) — tables created by SuiteCommerce’s enterprise customers.
These tables typically contain critical customer and business information. Criminals who gain access to this data can steal customer addresses, phone numbers, order history, and more.
Working on a solution
According to researchers at AppOmni, the vulnerability could pose a risk to many small and medium-sized businesses, as they rarely have the resources to identify and address these types of bugs.
The good news is that NetSuite has already acknowledged AppOmni’s findings and is reportedly working on a patch. It also told all SuiteCommerce users to review their security settings and implement the recommended best practices, as that’s the right way to protect CRTs from threat actors and other unauthenticated users.
“During my time as a SaaS security researcher, it became increasingly clear that unauthenticated data exposure via SaaS applications is one of the biggest threats to enterprises,” wrote Aaron Costello, head of SaaS security research at AppOmni, in his analysis“Moreover, these risks will become even greater as vendors introduce increasingly complex functionalities into their products to remain competitive.”
Costello believes that organizations will struggle to address these issues because they are often discovered “only through custom research,” which many companies don’t have the time or money to do.
This, he says, is especially true for large enterprises “that have operationalized multiple SaaS business applications to meet the many demands within their industries.”