A widespread misconfiguration in Oracle NetSuite’s SuiteCommerce enterprise resource planning (ERP) platform has left sensitive customer data exposed across thousands of websites.
Security firm AppOmni uncovered the issue, describing how many businesses using NetSuite to support e-commerce have inadvertently allowed unauthorized access to customer records due to misconfigured access controls on custom record types (CRTs).
These CRTs store critical data such as personal addresses and phone numbers, making them an attractive target for cybercriminals.
“Thousands of these organizations are leaking sensitive customer data to the public through misconfigurations in their access controls,” Aaron Costello, chief of SaaS security research at AppOmni, wrote in the blog. “The sheer scale at which I found these exposures to be occurring is significant.”
Widespread Oracle NetSuite Misconfiguration
The issue lies not with NetSuite’s platform itself, but in the way some website admins configure their stores, allowing unauthorized users to access customer data through leaky APIs.
The misconfiguration, which primarily affects externally facing stores on SuiteCommerce, essentially allows unauthorized individuals to query sensitive information without authentication, by way of URL manipulation, according to AppOmni.
Costello wrote in the report that it appears the most commonly exposed form of sensitive data is personally identifiable information (PII) of registered customers, including full addresses and mobile phone numbers.
NetSuite responded to the issue by urging customers to review their security settings and follow best practices to protect their CRTs from unauthorized access.
Costello noted that despite these efforts, many businesses may remain unaware that their sites are leaking sensitive data, or whether they’re being targeted. That’s because NetSuite does not provide easily accessible transaction logs, making it difficult for companies to detect whether they’ve been exploited.
He added many organizations are struggling to implement and maintain a robust software-as-a-service (SaaS) security program, and said more education is needed so organizations can be better prepared to identify and tackle both known and unknown risks to their SaaS applications.
“As vendors introduce increasingly complex functionality into their products to remain competitive these risks will become even more prevalent,” according to the report. “Organizations attempting to tackle this issue will face difficulties in doing so, as it is often just through bespoke research that these avenues of attack can be uncovered.”
SaaS Cyberecurity Issues Rise
The NetSuite findings as well as recent attacks on customer accounts hosted on the Snowflake platform highlight the growing security risks in SaaS environments.
At the heart of this is the fact that SaaS platforms have significantly altered the modern attack surface, making some traditional attack steps unnecessary or easier for adversaries, according to AppOmni.
Specifically, the traditional Lockheed Martin cyber kill chain — a classic basis for defending against attacks — identifies the steps of a successful campaign: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives (data exfiltration, malware implantation).
But in SaaS environments, “the kill chain from an attacker’s perspective is really centralized down to a couple of points: initial access and credential access, and collection and exfiltration,” Brandon Levene, principal product manager, threat detection, at AppOmni told Dark Reading at Black Hat last week.
Accordingly, threat actors are now actively targeting enterprise data within SaaS applications; the adversaries include less sophisticated outfits as well as infamous gangs like Scattered Spider, which has pivoted to SaaS after traditionally focusing on Microsoft cloud environments and on-premises infrastructure.
So, as organizations expand their use of SaaS applications, they must rethink their approach to the cyber kill chain and adjust their defenses accordingly. For instance, in the case of e-commerce platforms, administrators should “begin assessing access controls at the field level in website forms, and identify which, if any, fields are required to be exposed,” according to AppOmni. Then, they can lock down those fields that don’t need public access.