IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image

Oracle NetSuite glitch leaks data from thousands of websites

Tue, 20th Aug 2024

A significant security concern has emerged involving thousands of websites leaking private customer information, including addresses and phone numbers, due to a misconfiguration in the Oracle NetSuite SuiteCommerce platform.

This revelation was made by AppOmni, a company specialising in SaaS security, with the issue being identified by Aaron Costello, AppOmni's chief of SaaS security research.

The problem lies in misconfigured access controls within SuiteCommerce instances, particularly in custom record types (CRTs), which are tables created by SuiteCommerce enterprise customers. According to Costello, "NetSuite is one of the world's leading enterprise resource planning (ERP) systems and handles business-critical data for thousands of organizations. My research found that thousands of these organizations are leaking sensitive customer data to the public through misconfigurations in their access controls. The sheer scale at which I found these exposures to be occurring is significant."

AppOmni's findings indicate that several thousand live public websites are leaking sensitive information due to these misconfigurations. In many cases, organizations had unintentionally deployed a public default stock website upon purchasing their NetSuite instance, which contributed to the exposure. Sensitive data such as personally identifiable information (PII) of registered customers, including full addresses and mobile phone numbers, has been reported as the most commonly exposed information.

To mitigate the risk, AppOmni advises administrators to tighten access controls on CRTs. This includes setting sensitive fields to 'None' for public access and considering temporarily taking impacted sites offline to prevent further data exposure. Costello emphasised, "Many organizations are struggling to implement and maintain a robust SaaS security program. Through research like this, AppOmni strives to educate and equip organizations so that they may be better prepared to identify and tackle both known and unknown risks to their SaaS applications."

This is not an isolated incident. AppOmni has previously uncovered similar misconfiguration issues that led to data compromises in other platforms such as ServiceNow and Salesforce. These repeated issues highlight the growing need for better awareness and stronger security measures within organizations that rely heavily on SaaS applications for their operations.

Netsuite is a popular SaaS Enterprise Resource Planning (ERP) platform that allows businesses to deploy an external-facing store using SuiteCommerce or SiteBuilder. These sites are hosted on a subdomain of the NetSuite tenant and enable users to browse, register, and even purchase products. While the primary aim is to streamline e-commerce operations and back-office processes, the security configuration of these platforms is critical to ensure that sensitive customer information is not inadvertently exposed.

In light of these findings, there are specific technical considerations to be aware of within the NetSuite architecture and APIs. One critical aspect involves understanding how frontend and client-side components interact with server-side components and the database. NetSuite's access control model employs various mechanisms to protect data, and misconfigurations here can lead to unauthorised access to sensitive information.

For organizations using SuiteCommerce, AppOmni recommends reviewing and updating their access controls to ensure that CRT definitions require appropriate permissions. This may involve changing the Default Access Level and Default Level for Search/Reporting settings to 'None' for all sensitive fields. Furthermore, in severe cases of data exposure, taking affected websites offline temporarily, to reassess and strengthen security configurations, is advised.

Organizations concerned about possible data exposure due to these misconfigurations should contact NetSuite support to request access to raw log data for a thorough investigation. This proactive approach can help in identifying any unauthorised accesses that may have occurred.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X