Connect with us

Tech News

Thousands of NetSuite customers accidentally exposing their data

Published

on

Thousands of NetSuite customers accidentally exposing their data

It has been claimed by researchers that thousands of organisations using NetSuite SuiteCommerce are inadvertently exposing their most sensitive data due to misconfigured access controls in custom record types (CRTs) within their SuiteCommerce instances.

Aaron Costello, chief of software-as-a-service (SaaS) research at AppOmni, stated that this misconfiguration results in the unintentional creation and deployment of a public-facing, default stock website that allows for easy data exfiltration.

Many affected users were unaware that they were leaking large amounts of data, including personally identifiable information (PII) such as postal addresses and mobile phone numbers.

Costello highlighted the significance of NetSuite as a leading enterprise resource planning (ERP) system that handles critical business data for numerous organisations. He emphasized the need for organisations to implement strong SaaS security programs to address both known and unknown risks.

How it works

One popular feature of NetSuite’s ERP platform is the ability to deploy a public store using SuiteCommerce or SiteBuilder. These allow unauthenticated customers to register, browse, and purchase products directly, streamlining order processing, fulfilment, and inventory management.

Each deployed site contains standard record types (SRT) and custom record types (CRT), with CRTs being more flexible but potentially vulnerable if access controls are not properly configured. This vulnerability could be exploited through a malicious API call to exfiltrate data.

Costello clarified that the issue stems from user actions rather than a vulnerability in NetSuite’s products.

Fixing the problem

Currently, it is difficult to determine if an organisation has experienced data exfiltration due to this misconfiguration. Users are advised to review AppOmni’s detailed analysis and contact NetSuite support if they suspect malicious activity.

See also  A massive Game Freak data breach has seemingly revealed the Switch 2's codename, future Pokémon games, and a whole lot more

To prevent data exposure, access controls on CRTs must be hardened, which may impact legitimate business operations and require careful consideration by administrators.

Top threats to enterprises

Costello highlighted unauthenticated data exposure via SaaS applications as a major threat to enterprises. With the increasing complexity of functionality, addressing these issues will become more challenging for security teams and platform administrators.

Trending