Thousands of Oracle NetSuite ERP websites found leaking private customer information

News
By published

Misconfigurations once again found to be cause of data leaks

Data leak
(Image credit: Shutterstock)

Researchers have discovered a vulnerability in Oracle Netsuite’s SuiteCommerce ecommerce platform that could allow threat actors to steal sensitive data from websites.

A report from AppOmni revealed the vulnerability comes from misconfigured access controls in SuiteCommerce instances, specifically within custom record types (CRTs) – tables created by the SuiteCommerce enterprise customers.

These tables usually hold critical customer data, as well as business operation information. Crooks who manage to gain access to this data can steal customer addresses, phone numbers, order history, and more.

Working on a fix

AppOmni’s researchers said the vulnerability could put many small and medium-sized businesses at risk, since they rarely have the resources to identify and address bugs such as this one.

The good news is NetSuite has already acknowledged AppOmni’s findings, and was said to be working on a patch. It also told all SuiteCommerce users to review their security settings and apply suggested best practices, as that’s the proper way of securing CRTs against threat actors and other unauthenticated users.

“Throughout my time conducting SaaS security research, it’s becoming clear that unauthenticated data exposure via SaaS applications is among the top threats to enterprises,” Aaron Costello, chief of SaaS security research at AppOmni, wrote in his analysis. “Further, as vendors introduce increasingly complex functionality into their products to remain competitive these risks will become even more prevalent.”

It is Costello’s belief organizations will struggle to tackle these issues, since they are often discovered “just through bespoke research,” for which many firms don’t have the time, or the money.

This, he claims, is particularly true for large enterprises “that have operationalized several enterprise SaaS applications to fulfill multiple demands across their lines of business.”

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

More about security
Person editing a WordPress site

A key WordPress feature has been hijacked to show malicious code, spam images
Data Breach

Top API testing firm APIsec exposed customer data during security lapse
GL.iNet Slate 7 router

Here's the world's first mobile Wi-Fi 7 router, and I can't believe how ridiculously cheap it is
See more latest
Most Popular
GL.iNet Slate 7 router
Here's the world's first mobile Wi-Fi 7 router, and I can't believe how ridiculously cheap it is
Apple MacBook Air 13-inch (M4) REVIEW
You can now set up your new Mac with an iPhone or iPad, and it might just be the best new time-saver
AYANEO Retro Mini PC AM01S
Mac-inspired mini PC has three unique, exciting features that I beg other mini PC designers to embrace and copy
Google Chrome
Gave up trying to install Chrome on Windows 11 because it wouldn’t work? Google has fixed this error, but I can’t believe how long it took
An AI face in profile against a digital background.
Humans as hardware - no, not the name of a new Matrix movie prequel but a shocking idea about human tissue
Samsung Galaxy Z Fold 6 REVIEW
Foldable phone sales are tipped to fall this year – and Apple is the only brand that could turn things around
An AI-generated receipt made using ChatGPT's image generator
ChatGPT is now really good at faking receipts – and OpenAI says that could be a good thing
Mullvad VPN working on a laptop
Mullvad VPN promises to be even better protecting you against AI surveillance
Person editing a WordPress site
A key WordPress feature has been hijacked to show malicious code, spam images
Apple Logo
Apple fined over €150 million in France for discriminatory consent practices surrounding its ATT framework