On August 15, 2024, cybersecurity researchers from AppOmni alerted consumers about a significant vulnerability within the Oracle NetSuite SuiteCommerce platform that could potentially enable hackers to access sensitive customer information. The researchers discovered that thousands of businesses utilizing this platform face a heightened risk of data leaks due to a common misconfiguration error related to access controls. Importantly, this issue stems not from an inherent flaw within NetSuite itself but rather from how individual businesses configure their access settings. The misconfigured access controls pertain specifically to custom record types (CRTs), which can inadvertently expose sensitive data to unauthorized users.
To address the vulnerability, AppOmni provided several recommendations for administrators managing the SuiteCommerce platform. They urged administrators to tighten access controls on CRTs and to ensure that sensitive fields are set to ‘None’ for public access. Additionally, it was suggested that businesses consider temporarily taking affected sites offline to prevent immediate data exposure while they rectify the configuration issues. This proactive approach is crucial in safeguarding customer information until proper security measures can be put in place.
The report also detailed the importance of correct access settings for unauthenticated users. It highlighted that for CRTs to restrict unauthorized access, an access type of ‘No Permissions Required’ should be established, and the ‘Default Access Level’ for individual fields must be carefully defined. Unauthenticated users can attempt to access data via search APIs, but they require Edit level permissions to the ‘Default Level for Search / Reporting’ (DLSR) field setting for this access to be granted. While this presents a minor security benefit, the default configuration often leaves the DLSR field set to Edit when first created, thereby exposing a vulnerability that could be exploited by malicious actors.
To illustrate the risk further, the report provided a proof-of-concept demonstration in a test environment featuring a SiteBuilder-based website. It included a vulnerable CRT with specific access types that enabled data exfiltration by unauthenticated users. The test scenario illustrated how attackers could identify and retrieve CRT names and sensitive information through HTTP traffic analysis and brute-force methods. This highlights the ongoing challenge of ensuring robust security practices and the necessity for businesses to rigorously evaluate their access control configurations to protect against potential data breaches effectively.
Reference: