Tech News
Thousands of NetSuite customers accidentally exposing their data
It has been claimed by researchers that thousands of organisations using NetSuite SuiteCommerce are inadvertently exposing their most sensitive data due to misconfigured access controls in custom record types (CRTs) within their SuiteCommerce instances.
Aaron Costello, chief of software-as-a-service (SaaS) research at AppOmni, stated that this misconfiguration results in the unintentional creation and deployment of a public-facing, default stock website that allows for easy data exfiltration.
Many affected users were unaware that they were leaking large amounts of data, including personally identifiable information (PII) such as postal addresses and mobile phone numbers.
Costello highlighted the significance of NetSuite as a leading enterprise resource planning (ERP) system that handles critical business data for numerous organisations. He emphasized the need for organisations to implement strong SaaS security programs to address both known and unknown risks.
How it works
One popular feature of NetSuite’s ERP platform is the ability to deploy a public store using SuiteCommerce or SiteBuilder. These allow unauthenticated customers to register, browse, and purchase products directly, streamlining order processing, fulfilment, and inventory management.
Each deployed site contains standard record types (SRT) and custom record types (CRT), with CRTs being more flexible but potentially vulnerable if access controls are not properly configured. This vulnerability could be exploited through a malicious API call to exfiltrate data.
Costello clarified that the issue stems from user actions rather than a vulnerability in NetSuite’s products.
Fixing the problem
Currently, it is difficult to determine if an organisation has experienced data exfiltration due to this misconfiguration. Users are advised to review AppOmni’s detailed analysis and contact NetSuite support if they suspect malicious activity.
To prevent data exposure, access controls on CRTs must be hardened, which may impact legitimate business operations and require careful consideration by administrators.
Top threats to enterprises
Costello highlighted unauthenticated data exposure via SaaS applications as a major threat to enterprises. With the increasing complexity of functionality, addressing these issues will become more challenging for security teams and platform administrators.
-
Destination3 months ago
Singapore Airlines CEO set to join board of Air India, BA News, BA
-
Tech News7 months ago
Bangladeshi police agents accused of selling citizens’ personal information on Telegram
-
Motivation6 months ago
The Top 20 Motivational Instagram Accounts to Follow (2024)
-
Guides & Tips5 months ago
Have Unlimited Korean Food at MANY Unlimited Topokki!
-
Guides & Tips5 months ago
Satisfy Your Meat and BBQ Cravings While in Texas
-
Gaming4 months ago
The Criterion Collection announces November 2024 releases, Seven Samurai 4K and more
-
Self Development7 months ago
Don’t Waste Your Time in Anger, Regrets, Worries and Grudges
-
Toys6 months ago
15 of the Best Trike & Tricycles Mums Recommend