Thousands of Oracle NetSuite Sites Risk Exposing Customer Data Due to Misconfigurations

Cybersecurity researchers have raised alarms about thousands of Oracle NetSuite e-commerce sites that are vulnerable to leaking sensitive customer information. The issue stems from misconfigured access controls on custom record types (CRTs) within NetSuite’s SuiteCommerce platform.

According to AppOmni’s Aaron Costello, the problem arises not from a flaw in NetSuite itself but from improper configurations by customers. This misconfiguration allows unauthenticated users to access sensitive data, including customers’ full addresses and mobile phone numbers, due to the “No Permission Required” access setting on CRTs.

via GIPHY

To exploit this vulnerability, attackers need to know the names of the CRTs in use. Once they gain this information, they can use NetSuite’s record and search APIs to access confidential data. To mitigate this risk, administrators should tighten access controls on CRTs, set sensitive fields to “None” for public access, and consider taking affected sites offline temporarily.

Recommendation: Adjusting the access type of record definitions to “Require Custom Record Entries Permission” or “Use Permission List” can help secure the exposed data.

Thousands of Oracle NetSuite e-commerce sites risk exposing sensitive customer data due to misconfigured access controls on custom record types (CRTs). Review and secure your settings now to prevent unauthorized access.

Read: https://t.co/oDstcYavcJ#infosec #cybersecurity

— The Hacker News (@TheHackersNews) August 20, 2024

In a related security issue, Cymulate has detailed a vulnerability in Microsoft Entra ID (formerly Azure Active Directory) that allows attackers to bypass authentication processes, potentially granting unauthorized access with high privileges.

Organizations using Oracle NetSuite should urgently review and adjust their access controls to safeguard against data leakage, while vigilance is needed to address similar vulnerabilities in other systems.