A critical misconfiguration in Oracle NetSuite’s SuiteCommerce platform has been discovered by security researchers [2], affecting thousands of e-commerce sites [2].
Description
This misconfiguration involves improper access controls on Custom Record Types (CRTs) [1], allowing unauthorized access to sensitive customer data such as home addresses and phone numbers. Hackers can exploit this vulnerability by targeting CRTs with “No Permission Required” access controls. Several thousand public SuiteCommerce websites are already affected by this issue [4], which can lead to unauthorized access to Personally Identifiable Information (PII). Administrators are advised to tighten access controls on CRTs to prevent data leakage.
Conclusion
To address this issue, administrators should adjust access controls on CRTs by setting sensitive fields to ‘None’ for public access or changing the access type to ‘Require Custom Record Entries Permission’ [2]. While Oracle has introduced additional security measures [3], it is crucial for administrators to review and adjust access controls to protect customer information. Organizations should temporarily take affected sites offline to reassess and reconfigure access controls [4]. By enhancing access controls and evaluating field-level access controls, administrators can secure restricted data and prevent unauthorized access.
References
[1] https://securityaffairs.com/167287/hacking/oracle-netsuite-misconfiguration.html
[2] https://www.vpnranks.com/news/netsuite-flaw-exposes-customer-data-thousands-at-risk/
[3] https://cyberpress.org/oracle-netsuite-flaw/
[4] https://www.defensorum.com/flawed-netsuite-setup-leaves-customer-data-exposed/
