Thousands of Oracle NetSuite ERP websites found leaking private customer information

Misconfigurations once again found to be cause of data leaks

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Researchers have discovered a vulnerability in Oracle Netsuite’s SuiteCommerceecommerce platformthat could allow threat actors to steal sensitive data from websites.

A report from AppOmni revealed the vulnerability comes from misconfigured access controls in SuiteCommerce instances, specifically within custom record types (CRTs) – tables created by the SuiteCommerce enterprise customers.

These tables usually hold critical customer data, as well as business operation information. Crooks who manage to gain access to this data can steal customer addresses, phone numbers, order history, and more.

Working on a fix

AppOmni’s researchers said the vulnerability could put many small and medium-sized businesses at risk, since they rarely have the resources to identify and address bugs such as this one.

The good news is NetSuite has already acknowledged AppOmni’s findings, and was said to be working on a patch. It also told all SuiteCommerce users to review their security settings and apply suggested best practices, as that’s the proper way of securing CRTs against threat actors and other unauthenticated users.

“Throughout my time conducting SaaS security research, it’s becoming clear that unauthenticated data exposure via SaaS applications is among the top threats to enterprises,” Aaron Costello, chief of SaaS security research at AppOmni, wrote in hisanalysis. “Further, as vendors introduce increasingly complex functionality into their products to remain competitive these risks will become even more prevalent.”

It is Costello’s belief organizations will struggle to tackle these issues, since they are often discovered “just through bespoke research,” for which many firms don’t have the time, or the money.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

This, he claims, is particularly true for large enterprises “that have operationalized several enterprise SaaS applications to fulfill multiple demands across their lines of business.”

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)