In recent news, Oracle’s NetSuite, a renowned Enterprise Resource Planning (ERP) platform, offers businesses the opportunity to establish an external-facing store using SuiteCommerce or SiteBuilder. This feature facilitates e-commerce operations and back-office processes on a unified platform, streamlining order processing, fulfillment, and inventory management.
However, a recent investigation has unveiled a potential threat within the SuiteCommerce platform that could grant attackers access to sensitive data. This issue stems from misconfigured access controls on custom record types (CRTs).
Aaron Costello, the Chief of SaaS Security Research at AppOmni, highlighted the potential impact of this issue on thousands of live public SuiteCommerce websites. He emphasized that organizations deploying NetSuite may unknowingly expose default stock websites, even if they did not intend to set up an e-commerce store.
The exposed data primarily includes personally identifiable information (PII) of registered customers, such as full addresses and mobile phone numbers. It is crucial to clarify that this is not a security vulnerability inherent in the NetSuite product itself but rather a potential risk arising from customers’ access control configurations.
NetSuite employs a multi-layered access control framework comprising table-level and field-level controls. Table-level controls regulate visibility of entire data tables, while field-level controls manage access to specific fields within a table.
The security concern arises from the interaction between NetSuite’s online store feature and the database. When customers attempt to access sensitive data, NetSuite verifies access controls to determine permission. If these controls are inadequately configured, hackers could exploit this vulnerability to access confidential information.
To mitigate the NetSuite vulnerability, businesses are advised to configure table-level access controls to “Require Custom Record Entries Permission” and set field-level access controls to “None” for public access. Additionally, NetSuite administrators should review and adjust access controls on custom record types, restrict access to sensitive fields, and consider temporarily taking impacted sites offline until appropriate access controls are implemented.
By taking proactive steps to address these security concerns, businesses can safeguard sensitive information and uphold data protection standards in their NetSuite environments. It is imperative for organizations to prioritize cybersecurity measures and stay vigilant against potential threats in today’s digital landscape.