The Information Highway

The Information Highway

Font size: +
2 minutes reading time (363 words)

Your Oracle NetSuite data may be exposed

Threat update

Researchers discovered that externally-facing Oracle NetSuite e-commerce sites may expose sensitive customer information when configured inaccurately.

Technical Detail and Additional Info

What is the threat?

It is found that Oracle Netsuite's SuitCommerce platforms are commonly misconfigured, allowing attackers to gain access to full addresses and mobile phone numbers of registered customers. There are two places in NetSuite to secure data, Custom Record Type (CRT) level, and/or the field type. The common misconfiguration for many NetSuite sites is using the "No Permission Required" permission on some of their CRTs.

If these permissions are misconfigured, an attacker can discover the names of fields and CRTs, allowing them to leak data through standard API calls. However, the default permission for searches is open, resulting in an attacker being able to search for data if they are able to leak the field names and IDs. 

Why is it noteworthy?

It is important to note that this is not a vulnerability in Oracle NetSuite, but a common misconfiguration. Researchers have found thousands of external-facing sites with this misconfiguration. The issue most likely arises when you fail to implement adequate compensating controls after setting the CRT permissions to open. 

What is the exposure or risk?

An incorrectly configured Netsuite SuiteCommerce site allows attackers to access sensitive customer data, including names, addresses, phone numbers, and other information. 

What are the recommendations?

 LBT Technology Group recommends the following actions to improve data security available via Oracle NetSuite's SuiteCommerce:

  • Audit data permissions and access regularly.
  • Set access controls on both the CRT and fields.
  • Set the default permission for all new fields to be "none". An administrator will have to manually assess the permission for each new field. This should be applied to both the "Default Access Level" and "Default Level for Search / Reporting". In most cases, this will require the administrator to reinstate permissions using a different technique.
  • Train administrators on the proper configuration of CRT permissions to minimize the risk of accidental exposure.

References

 For more in-depth information about the recommendations, please visit the following links:


If you have any questions, please contact LBT's Sales Engineer.


Seattle-Tacoma Airport IT systems down due to a cy...
US oil giant Halliburton confirms cyberattack behi...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Monday, 23 December 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023