Software-as-a-service (SaaS) security company AppOmni cautioned administrators at companies using NetSuite’s SuiteCommerce platform about a common customer misconfiguration that can cause data exposure.
Misconfigured access controls on custom record types (CRTs) could allow attackers to access sensitive data via this feature that enables external-facing stores, Aaron Costello, chief of SaaS security research at AppOmni, wrote in a Thursday (Aug. 15) blog post on the company’s website.
For administrators looking to mitigate this risk, Costello suggested tightening access controls on CRTs, setting sensitive fields to “None” for public access, and considering temporarily taking their sites offline, according to the post.
NetSuite did not immediately reply to PYMNTS’ request for comment.
Costello highlighted in his blog post that this potential data exposure has to do with a customer misconfiguration, not a problem with the product itself.
“Some of the media coverage on this issue misstates it as a security vulnerability in the NetSuite product,” Costello said in the post. “To be clear, this article is intended for customers to understand how NetSuite security works and how to address a potential but common customer misconfiguration that can cause data exposure.”
The attack vector identified by Costello centers on sites built using SuiteCommerce that can allow unauthorized customers to browse, register and purchase products, according to the post.
This attack vector affects thousands of live public SuiteCommerce websites and could allow criminals to steal record data from organizations with public sites, per the post.
“In many such cases, organizations using NetSuite that had no intention of deploying a commercial store were entirely unaware that a default stock website had been deployed publicly upon purchase of their instance,” Costello wrote. “From my observations of these sites, the most commonly exposed form of sensitive data has been PII [personally identifiable information] of registered customers, which included full addresses and mobile phone numbers.”
This report comes during a year PYMNTS has dubbed “the Year of the Cyberattack.”
During the first half of 2024, data extortion and ransomware attacks had a substantial impact on businesses, with a number of such attacks causing waves across the marketplace, PYMNTS reported in July.