Thousands Of Oracle NetSuite Sites Said To Be Exposing Customer Data
A misconfiguration in Oracle’s NetSuite SuiteCommerce offering could put customer data at risk of exposure.
Researchers with security vendor AppOmni said that a quirk in the way commercial sites are configured on NetSuite can expose personal information, including mailing addresses and personal phone numbers.
According to AppOmni Chief of SaaS Security Research Aaron Costello the problem lies in the way many SuiteCommerce installations are configured, setting the stage for records to be called without proper authorization.
AppOmni emphasized that the issue was not a security vulnerability within SuiteCommerce itself, but rather a problem with the way thousands of sites have been configured.
“Based on my initial investigations, several thousand live public SuiteCommerce websites are already affected,” Costello explained.
“In many such cases, organizations using NetSuite that had no intention of deploying a commercial store were entirely unaware that a default stock website had been deployed publicly upon purchase of their instance.”
Specifically, Costello said, many sites are being left vulnerable to an API call that allows an unauthorized user to pull up customer records. This could potentially allow a threat actor to create HTML requests that result in the return of user records, in most cases information such as address information and contact details.
“The most common API used to perform operations on individual records in NetSuite is through the ‘record’ API,” said Costello.
“The functions exposed by this API grant the ability to perform varying CRUD operations, conveniently accessible from the Client Side.”
Unfortunately, says AppOmni, fixing the problem is not an easy fix. Costello says that many customers may never even realize that their sites have been exploited by threat actors, as logging information can be hard to come by in many cases.
“Unfortunately, NetSuite does not provide readily available transaction logs which can be used to determine malicious use of these client-side APIs,” Costello explained.
“If you suspect that your organization may have been the victim of an attack that resembled a pattern similar to what was discussed in this blog post, we recommend contacting NetSuite support and requesting the raw log data.”
READ MORE HERE