Researchers have discovered a vulnerability in Oracle Netsuite’s SuiteCommerce ecommerce platform that could allow threat actors to steal sensitive data from websites.
A report from AppOmni revealed the vulnerability comes from misconfigured access controls in SuiteCommerce instances, specifically within custom record types (CRTs) – tables created by the SuiteCommerce enterprise customers.
These tables usually hold critical customer data, as well as business operation information. Crooks who manage to gain access to this data can steal customer addresses, phone numbers, order history, and more.
Working on a fix
AppOmni’s researchers said the vulnerability could put many small and medium-sized businesses at risk, since they rarely have the resources to identify and address bugs such as this one.
The good news is NetSuite has already acknowledged AppOmni’s findings, and was said to be working on a patch. It also told all SuiteCommerce users to review their security settings and apply suggested best practices, as that’s the proper way of securing CRTs against threat actors and other unauthenticated users.
“Throughout my time conducting SaaS security research, it’s becoming clear that unauthenticated data exposure via SaaS applications is among the top threats to enterprises,” Aaron Costello, chief of SaaS security research at AppOmni, wrote in his analysis. “Further, as vendors introduce increasingly complex functionality into their products to remain competitive these risks will become even more prevalent.”
It is Costello’s belief organizations will struggle to tackle these issues, since they are often discovered “just through bespoke research,” for which many firms don’t have the time, or the money.
This, he claims, is particularly true for large enterprises “that have operationalized several enterprise SaaS applications to fulfill multiple demands across their lines of business.”
