The Information Highway

The Information Highway
Font size: +
  Print
2 minutes reading time (363 words)

Your Oracle NetSuite data may be exposed

103 Hits

Threat update

Researchers discovered that externally-facing Oracle NetSuite e-commerce sites may expose sensitive customer information when configured inaccurately.

Technical Detail and Additional Info

What is the threat?

It is found that Oracle Netsuite's SuitCommerce platforms are commonly misconfigured, allowing attackers to gain access to full addresses and mobile phone numbers of registered customers. There are two places in NetSuite to secure data, Custom Record Type (CRT) level, and/or the field type. The common misconfiguration for many NetSuite sites is using the "No Permission Required" permission on some of their CRTs.

If these permissions are misconfigured, an attacker can discover the names of fields and CRTs, allowing them to leak data through standard API calls. However, the default permission for searches is open, resulting in an attacker being able to search for data if they are able to leak the field names and IDs. 

Why is it noteworthy?

It is important to note that this is not a vulnerability in Oracle NetSuite, but a common misconfiguration. Researchers have found thousands of external-facing sites with this misconfiguration. The issue most likely arises when you fail to implement adequate compensating controls after setting the CRT permissions to open. 

What is the exposure or risk?

An incorrectly configured Netsuite SuiteCommerce site allows attackers to access sensitive customer data, including names, addresses, phone numbers, and other information. 

What are the recommendations?

 LBT Technology Group recommends the following actions to improve data security available via Oracle NetSuite's SuiteCommerce:

  • Audit data permissions and access regularly.
  • Set access controls on both the CRT and fields.
  • Set the default permission for all new fields to be "none". An administrator will have to manually assess the permission for each new field. This should be applied to both the "Default Access Level" and "Default Level for Search / Reporting". In most cases, this will require the administrator to reinstate permissions using a different technique.
  • Train administrators on the proper configuration of CRT permissions to minimize the risk of accidental exposure.

References

 For more in-depth information about the recommendations, please visit the following links:


If you have any questions, please contact LBT's Sales Engineer.


0
How do you feel about this post?
Happy (0)
Love (0)
Surprised (0)
Sad (0)
Angry (0)
Tags:
Technical Detail customer information externally-facing Oracle NetSuite e-commerce sites block Researchers move
Seattle-Tacoma Airport IT systems down due to a cy...
US oil giant Halliburton confirms cyberattack behi...

About the author

LBT Technology Group, LLC.

LBT Technology Group, LLC.

As we navigate our ever-evolving cyber society, LBT Technology Group believes providing comprehensive IT services to others is essential. As a Managed IT Services Provider (MSP), we are positioned to eliminate your pain points by optimizing your technology, mitigating your cyber security risk footprint, and improving your cyber resilence. The focus we place on reducing the presistent cyber security risks to the confidentiality, integrity, and availability of your information systems and our proficiency in restoring IT services in the event of a cyber attack or technology outage separates us from our competitors--WE SIMPLIFY YOUR IT EQUATION.
Author's recent posts
More posts from author

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Thursday, 19 September 2024

Captcha Image