Cybersecurity experts warn that misconfigured access controls in NetSuite’s SuiteCommerce platform could expose sensitive customer information on e-commerce sites
Cybersecurity researchers have issued a warning after discovering thousands of Oracle NetSuite e-commerce sites that are at risk of leaking sensitive customer information. According to Aaron Costello of AppOmni, the issue arises from misconfigured access controls on custom record types (CRTs) within NetSuite’s SuiteCommerce platform.
It is crucial to understand that this problem is not a security flaw in the NetSuite product itself but rather a result of customer misconfigurations. The exposed data includes full addresses and mobile phone numbers of registered customers on the affected e-commerce sites.
The attack method detailed by AppOmni exploits CRTs configured with the “No Permission Required” access type, allowing unauthenticated users to access data via NetSuite’s record and search APIs. However, for the attack to succeed, the attacker must first know the names of the CRTs in use.
To reduce the risk, site administrators are advised to strengthen access controls on CRTs, set sensitive fields to “None” for public access, and consider temporarily taking affected sites offline to prevent further data exposure. Aaron Costello suggests that the simplest solution from a security perspective may involve changing the access type of the record type definition to either “Require Custom Record Entries Permission” or “Use Permission List.”
This disclosure comes alongside another significant finding by Cymulate, which revealed a method to manipulate the credential validation process in Microsoft Entra ID (formerly Azure Active Directory) and bypass authentication in hybrid identity infrastructures. However, this attack requires admin access to a server hosting a Pass-Through Authentication (PTA) agent and is rooted in Entra ID when syncing multiple on-premises domains to a single Azure tenant.
