Thousands of Organisations Exposing Sensitive Data Due to Misconfigured Access Controls in NetSuite SuiteCommerce
Researchers have discovered that thousands of organisations using NetSuite SuiteCommerce are inadvertently exposing their most sensitive data because of misconfigured access controls in custom record types (CRTs) within their SuiteCommerce instances. According to Aaron Costello, chief of software-as-a-service (SaaS) research at AppOmni, this misconfiguration results in the unintentional creation of a public-facing default stock website, making it easy for data to be exfiltrated.
Costello emphasized that many affected users were unaware that they were leaking large amounts of data, including personally identifiable information (PII) such as postal addresses and mobile phone numbers.
“NetSuite is a leading enterprise resource planning (ERP) system that handles critical data for numerous organisations,” said Costello, who has previously uncovered similar issues affecting customers of other major SaaS providers like Salesforce and ServiceNow.
Costello’s research revealed that many organisations are unknowingly exposing sensitive customer data through access control misconfigurations. He highlighted the significant scale at which these exposures are occurring.
“Many organisations struggle to establish and maintain a robust SaaS security program,” Costello added. “Through research like this, AppOmni aims to educate and empower organisations to better identify and address risks to their SaaS applications.”
Understanding the Vulnerability
NetSuite’s ERP platform allows users to deploy public stores using SuiteCommerce or SiteBuilder, enabling unauthenticated customers to register, browse, and purchase products. These sites contain standard record types (SRT) and custom record types (CRT), with CRTs being more flexible but potentially vulnerable if access controls are not properly configured.
If CRT access controls are lax, malicious API calls could be used to exfiltrate data, posing a significant security risk. Costello clarified that this issue is not due to a known vulnerability in NetSuite’s products but rather user misconfigurations.
Mitigating the Risk
As of now, organisations may not be able to determine if they have fallen victim to data exfiltration through this vulnerability. NetSuite currently does not provide transaction logs to detect malicious API usage.
To address the issue, users are advised to review AppOmni’s detailed write-up and seek support from NetSuite if suspicious activity is detected. Hardening access controls on CRTs is the most effective way to prevent data leakage, although this process may impact legitimate business operations.
Rising Concerns for Enterprises
Costello highlighted unauthenticated data exposure via SaaS applications as a top threat to enterprises, with complex functionalities increasing the risk. Addressing these vulnerabilities requires dedicated research and resources, posing challenges for security teams and platform administrators.
“Large enterprises must prioritize securing their SaaS applications to meet diverse business needs and protect sensitive data,” Costello concluded.
