By LBT Technology Group, LLC. on Friday, 23 August 2024
Category: Security

Your Oracle NetSuite data may be exposed

Threat update

Researchers discovered that externally-facing Oracle NetSuite e-commerce sites may expose sensitive customer information when configured inaccurately.

Technical Detail and Additional Info

What is the threat?

It is found that Oracle Netsuite's SuitCommerce platforms are commonly misconfigured, allowing attackers to gain access to full addresses and mobile phone numbers of registered customers. There are two places in NetSuite to secure data, Custom Record Type (CRT) level, and/or the field type. The common misconfiguration for many NetSuite sites is using the "No Permission Required" permission on some of their CRTs.

If these permissions are misconfigured, an attacker can discover the names of fields and CRTs, allowing them to leak data through standard API calls. However, the default permission for searches is open, resulting in an attacker being able to search for data if they are able to leak the field names and IDs. 

Why is it noteworthy?

It is important to note that this is not a vulnerability in Oracle NetSuite, but a common misconfiguration. Researchers have found thousands of external-facing sites with this misconfiguration. The issue most likely arises when you fail to implement adequate compensating controls after setting the CRT permissions to open. 

What is the exposure or risk?

An incorrectly configured Netsuite SuiteCommerce site allows attackers to access sensitive customer data, including names, addresses, phone numbers, and other information. 

What are the recommendations?

 LBT Technology Group recommends the following actions to improve data security available via Oracle NetSuite's SuiteCommerce:

References

 For more in-depth information about the recommendations, please visit the following links:


If you have any questions, please contact LBT's Sales Engineer.

Related Posts

Leave Comments