Zffoto - stock.adobe.com

Thousands of NetSuite customers accidentally exposing their data

Misconfigured permissions across live websites are leaving thousands of NetSuite users open to having their valuable customer data stolen, researchers say

Thousands of organisations using NetSuite SuiteCommerce are unknowingly exposing their most sensitive data as a result of misconfigured access controls in custom record types (CRTs) contained in their SuiteCommerce instances, researchers are claiming.

According to Aaron Costello, chief of software-as-a-service (SaaS) research at AppOmni, the impact of this misconfiguration is to unintentionally and unknowingly create and deploy a public-facing, default stock website through which data can be exfiltrated with relative ease.

He said that many of the affected users had absolutely no idea they were leaking data by the bucket-load as a result.

In many cases, this included the personally identifiable information (PII) of registered customers, including postal addresses and mobile phone numbers.

“NetSuite is one of the world’s leading enterprise resource planning [ERP] systems and handles business-critical data for thousands of organisations,” said Costello, who has previously uncovered similar issues affecting customers of other major-league SaaS suppliers such as Salesforce and ServiceNow.

“My research found that thousands of these organisations are leaking sensitive customer data to the public through misconfigurations in their access controls,” he said. “The sheer scale at which I found these exposures to be occurring is significant.

“Many organisations are struggling to implement and maintain a robust SaaS security programme,” said Costello. “Through research like this, AppOmni strives to educate and equip organisations so that they may be better prepared to identify and tackle both known and unknown risks to their SaaS applications.”

How it works

One of the most widely used features of NetSuite’s ERP platform is the ability to deploy a public store using SuiteCommerce or SiteBuilder. These are deployed on a subdomain of the user’s NetSuite tenant and enable unauthenticated customers to register, browse and buy their products directly – the main benefit being to provide both e-commerce and back-office capabilities in one platform, thus streamlining order processing, fulfilment and inventory management.

Each of these deployed sites contains two types of data table, a standard record type (SRT), which is more heavily locked-down, and the above-mentioned CRT, which is used to store custom data and considered more flexible because it can be configured per the user’s needs. However, according to Costello, it’s relatively easy to miss the various settings needed to properly configure access to each data field.

Therefore, if proper attention has not been paid to locking down access controls for the CRTs, they become vulnerable to a malicious application programming interface (API) call via which a threat actor could – if they became aware of the CRT’s name – exfiltrate the data.

Costello reiterated that the issue is not the result of any known vulnerability in NetSuite’s product suite, but rather the result of inadvertent actions taken by the users themselves when setting up their instances.

Fixing the problem

Unfortunately, it’s not possible at this time to determine whether or not your organisation has fallen victim to data exfiltration as a result of this set of circumstances. This is because at the time of writing, NetSuite does not provide transaction logs to determine malicious use of client-side APIs.

In the absence of this information, users are best advised to look through AppOmni’s in-depth write-up, which includes a full technical breakdown and proof-of-concept (PoC), and if you notice an attack pattern similar to that proposed by Costello, the advice is to contact NetSuite support and request the raw log data.

The only guaranteed way to avoid the issue is to harden access controls on CRTs, which will involve changing access permissions or definitions. This may impact some legitimate business needs and even force legitimate websites offline, so admins are advised to tread very carefully – the task may prove a laborious one.

Top threats to enterprises

Costello said it was becoming clear that unauthenticated data exposure via SaaS applications is now among the top threats to enterprises, and with increasingly complex functionality heading down the pipe, this would only heighten the risk.

“Organisations attempting to tackle this issue will face difficulties in doing so, as it is often just through bespoke research that these avenues of attack can be uncovered,” he wrote.

“Security teams and platform administrators don’t have the time and resources required to address these issues, particularly large enterprises that have operationalised several enterprise SaaS applications to fulfil multiple demands across their lines of business.”

Read more about securing SaaS deployments

  • SaaS has become ubiquitous. To secure it, take steps to inventory SaaS usage, securely authenticate usage, encrypt data, adopt single sign-on and more.
  • Securing SaaS applications is more important and confusing than ever. Consider visibility, UX and workflow when creating a SaaS security strategy and adopting tools.
  • This cloud security guide explains challenges enterprises face today; best practices for securing and managing SaaS, IaaS and PaaS; and comparisons of cloud-native security tools.

Read more on Privacy and data protection