Researchers have discovered a vulnerability in Oracle Netsuite's SuiteCommerce e-commerce platform that could allow threat actors to steal sensitive data from websites.
An AppOmni report revealed that the vulnerability stems from misconfigured access controls in SuiteCommerce instances, specifically within custom record types (CRTs) – tables created by SuiteCommerce enterprise customers.
These tables often contain important customer data as well as information about business transactions. Criminals who gain access to this data can steal customer addresses, phone numbers, order history, and more.
Working on a solution
AppOmni researchers said the vulnerability could put many small and mid-sized businesses at risk, as they rarely have the resources to identify and address bugs like this one.
The good news is that NetSuite has already acknowledged AppOmni’s findings and is said to be working on a patch. It has also told all SuiteCommerce users to review their security settings and apply the suggested best practices, as that is the proper way to protect CRTs against threat actors and other unauthenticated users.
“During my time researching SaaS security, it has become clear to me that unauthenticated data exposure via SaaS applications is one of the top threats to enterprises,” Aaron Costello, head of SaaS security research at AppOmni, wrote in his analysis. “Furthermore, as vendors introduce increasingly complex features into their products to remain competitive, these risks will become more prevalent.”
Costello believes organisations will struggle to address these issues as they are often discovered “simply through bespoke investigations”, which many companies do not have the time or money to do.
This, he says, is particularly true for large enterprises “that have deployed multiple enterprise SaaS applications to meet multiple demands across their lines of business.”
