Flawed NetSuite Setup Leaves Customer Data Exposed

Thousands of Oracle NetSuite SuiteCommerce sites have been found vulnerable to exposing sensitive customer data due to misconfigured access controls on Custom Record Types (CRTs). This issue emanates from user misconfigurations rather than a flaw in NetSuite, potentially exposing personal data like addresses and phone numbers.

The Scope of the Issue

NetSuite is a widely-used Software as a Service (SaaS) platform, known for integrating e-commerce operations with back-office processes like supply chain management. SuiteCommerce, one of its offerings, allows businesses to deploy external-facing websites on a subdomain, allowing customers to browse, register, and purchase products online. Research conducted by AppOmni has revealed that misconfigured CRTs in these websites can be exploited by attackers to gain unauthorized access to customer data. AppOmni’s Chief of SaaS Security Research, Aaron Costello, reported that several thousand public SuiteCommerce websites are already affected by this misconfiguration. This issue arises when organizations unintentionally deploy a public-facing website upon purchasing a NetSuite instance, often without realizing it. The most common type of data exposed includes Personally Identifiable Information (PII), like full addresses and mobile phone numbers of registered customers.

Understanding the Technical Flaw

To understand the issue, one should consider how NetSuite’s access control model works. NetSuite organizes its data into record types, which can either be Standard Record Types (SRTs) or Custom Record Types (CRTs). CRTs, which are created by the customer, are most at risk when misconfigured. If the access type for a CRT is set to “No Permission Required,” unauthorized users can access the data via NetSuite’s record and search APIs. The mentioned APIs allow users to perform various CRUD (Create, Read, Update, Delete) operations on records. While these APIs are intended for legitimate use, they can be exploited by attackers if CRTs are misconfigured to allow public access. One way to explain this is by considering how an attacker could use the “loadRecord” function to retrieve all field values for a specific record ID. This issue is compounded given that even if a user does not have permission to view a particular field, the names of all fields within a record type are still returned, providing information to attackers.

Mitigation Strategies

AppOmni pointed out that NetSuite’s security is sound, but the real concern is how customers configure their systems. To mitigate the risk of data exposure, administrators are recommended to take several steps:

  • Adjust the access type on CRTs to “Require Custom Record Entries Permission” or “Use Permission List” to ensure only authenticated users can access sensitive data.
  • Set the “Default Access Level” and “Default Level for Search/Reporting” to “None” to prevent unauthorized access to sensitive fields.
  • Temporarily take affected sites offline through NetSuite’s settings to reassess and reconfigure access controls.

While these steps can reduce the risk of data exposure, they may also impact the functionality of the website, especially for organizations that rely on public access to certain fields.

Challenges in Detecting Exploitation

One of the challenges identified by AppOmni is the difficulty in detecting if an organization’s NetSuite instance has been exploited. NetSuite does not provide easily accessible transaction logs that can be used to monitor or investigate potential misuse of these APIs. As a result, many organizations might remain unaware that their sites have been compromised. In such situations, AppOmni recommends that organizations contact NetSuite support to request raw log data for a more thorough investigation. The discovery of this misconfiguration in Oracle NetSuite SuiteCommerce indicates the need for careful configuration and monitoring of SaaS platforms. Although the issue isn’t a security flaw within the NetSuite platform, customer misconfigurations increase the risk of data exposure. Organizations using NetSuite should review their configurations, including CRT access controls, to ensure that sensitive customer data is protected.

Misconfigured access controls in NetSuite SuiteCommerce sites can lead to exposure of sensitive customer data. Organizations are encouraged to review their configurations to reduce the risk of unauthorized access and better protect customer information. Regular monitoring and adjustments can help maintain data security.

Photo credits: monticellllo, AdobeStock.com

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Elizabeth Hernandez

Elizabeth Hernandez is a news writer on Defensorum. Elizabeth is an experienced journalist who has worked on many publications for several years. Elizabeth writers about compliance and the related areas of IT security breaches. Elizabeth's has focus on data privacy and secure handling of personal information. Elizabeth has a postgraduate degree in journalism. Elizabeth Hernandez is the editor of HIPAAZone. https://twitter.com/ElizabethHzone
Twitter