Research finds critical security flaw exposes PII data in Oracle’s popular ERP platform
An alarming security research has found that thousands of NetSuite online stores, powered by Oracle’s popular enterprise resource planning (ERP) platform, are inadvertently leaking sensitive customer personal information (PII) data due to errors in access control settings.
The access control misconfiguration is enabling any unauthenticated attacker to extract valuable personally identifiable information (PII) like customers’ full names, addresses, phone numbers and order histories directly from these stores via NetSuite’s own REST APIs.
According to security researcher Aaron Costello from AppOmni who discovered this critical vulnerability, around “several thousand live public SuiteCommerce websites are already affected”. Costello notified NetSuite about this finding in July 2022 but was unfortunately told that the behavior was “working as intended”.
NetSuite allows its customers to build flexible online stores directly connected to their back-end operations using features like SuiteCommerce and Site Builder. However, Costello found that many NetSuite customers lacked proper understanding of access controls for custom record types (CRTs) – a core NetSuite feature to customize and extend its data model.
How the Vulnerability Works
NetSuite provides standard as well as custom record types that can store data. While standard records have strict access controls and can’t be accessed without authentication, custom records (CRTs) are highly customizable but require careful access management.
CRTs have table-level access settings to control whole table access as well as field-level permissions. The default access type – “No Permission Required” exposes the entire CRT to public without authentication. Individual fields can then be optionally secured.
However, Costello discovered that even if a field’s default access is set to “None”, it may still be searchable via NetSuite’s nlapiSearchRecord API if the “Default Level for Search/Reporting” is not explicitly set to “None”.
He showed that an attacker can first use this API to get the metadata of all fields in an exposed CRT. Then, loadRecord API which requires field IDs can be used to query accessible field values. Inaccessible field names can also be read to extract their data via searching – completely bypassing access controls.
Impact and Mitigation
The large-scale exposure of PII data to public APIs poses significant privacy and compliance risks. Through just a few API calls, an attacker can easily assemble complete customer profiles en masse.
As a mitigation, all sites must be temporarily taken offline for review. Only CRTs actually requiring public access should be left that way after thoroughly securing all sensitive fields. Transaction logs and API analytics should also be closely monitored.
This critical vulnerability demonstrates the need for organizations to deeply understand access management in SaaS platforms like NetSuite before leveraging public-facing features. Unless proactively addressed, weaknesses like this can continue to put customer trust and privacy at high risk.