NetSuite vulnerability could leave thousands of websites exposed

Researchers have warned of a new vulnerability in NetSuite’s SuiteCommerce tool that could expose sensitive data. 

Stemming from misconfigured access controls, the vulnerability leaves sensitive personally identifiable information (PII) exposed, including the full addresses and mobile phone numbers of customers

The vulnerability has already left several thousand live SuiteCommerce websites vulnerable and the extent of potential damage could be far-reaching.

"NetSuite is one of the world’s leading enterprise resource planning (ERP) systems and handles business critical data for thousands of organizations,” AppOmni researcher Aaron Costello told ITPro.

“My research found that thousands of these organizations are leaking sensitive customer data to the public through misconfigurations in their access controls. The sheer scale at which I found these exposures to be occurring is significant,” he added.

Costello noted that the issue can be attributed to “the way that access controls are configured in SuiteCommerce instances.”

These access controls are misconfigured more specifically in custom record types (CRTs), a form of table created by enterprises who use the SuiteCommerce platform.

Using a test environment to create a proof of concept (PoC) for the attack vector, Costello outlined how it would be possible for a malicious actor to exfiltrate data as an unauthenticated user.

Assuming an attacker knows the name of the CRT - which can be done through observation of HTTP traffic or brute-forcing the API endpoint - they can then obtain record identifications within the same CRT.

Once they have the record IDs, the attacker can read the data with “load record” by sending a request to the “Burp Intruder tab.” They could also read specific fields using “search record” functions.

NetSuite does not provide “readily available transaction logs” though, according to the report. Such logs could be useful in determining the malicious use of the client-side APIs deployed on this attack vector.

“If you suspect that your organization may have been the victim of an attack that resembles a pattern similar to what was discussed in this blog post, we recommend contacting NetSuite support and requesting the raw log data,” Costello advised.

To mitigate against future risk, administrators need to tighten up access controls on CRTs, as well as convert sensitive fields to “None” for public access so that information is not as vulnerable.

Admins should also consider taking impacted sites offline, at least for the time being, so as to prevent the exposure of data any further.

“Many organizations are struggling to implement and maintain a robust SaaS security program,” Costello said.

“Through research like this, AppOmni strives to educate and equip organizations so that they may be better prepared to identify and tackle both known and unknown risks to their SaaS applications,” he added.