New Vulnerability Could Expose Sensitive Data on Thousands of Sites

Posted on by

In a recent deep dive into the architecture of NetSuite, a popular SaaS Enterprise Resource Planning (ERP) platform, cybersecurity expert Aaron Costello of AppOmni has uncovered a significant vulnerability that could expose sensitive customer data on thousands of public-facing websites. These websites, often set up without the explicit knowledge of the companies using NetSuite, are at risk due to a misconfiguration that leaves them open to unauthorized data access.

NetSuite is widely used by businesses to manage various back-office processes, including supply chain management and order fulfillment, all within a single platform. One of its standout features is the ability to create external-facing e-commerce stores through SuiteCommerce or SiteBuilder. These stores are deployed on a subdomain of the NetSuite tenant, allowing customers to browse, register, and make purchases directly. However, Costello’s research reveals a darker side to this convenience.

According to Costello, “several thousand live public SuiteCommerce websites are already affected.” The primary concern? Unauthenticated users, or bad actors, could potentially steal sensitive data, including Personally Identifiable Information (PII) like customer addresses and phone numbers. This vulnerability stems from a default setup in NetSuite, where a public-facing website might be deployed without the organization’s awareness.

This isn’t just a theoretical risk—Costello’s initial investigations have confirmed that this misconfiguration is more common than most organizations realize. The fact that these sites are deployed by default means that companies who never intended to launch an e-commerce store could still have one publicly accessible, complete with potentially sensitive customer data.

For businesses using NetSuite, this vulnerability presents a significant security challenge. Costello notes that the most commonly exposed data includes the PII of registered customers. “In many such cases, organizations using NetSuite that had no intention of deploying a commercial store were entirely unaware that a default stock website had been deployed publicly upon purchase of their instance,” Costello explains.

In response to these findings, Costello’s company, AppOmni, has developed a new feature for its customers—an AppOmni Insight that automatically detects and alerts on instances of this misconfiguration in NetSuite environments. This tool aims to give organizations the visibility they need to secure their data proactively.

To understand the technical details, Costello breaks down how the NetSuite access control model works and how the vulnerability can be exploited. He explains that NetSuite’s frontend components interact with the server through a series of web-accessible API endpoints. These APIs allow client-side scripts to perform operations on the server, such as loading or searching for data records. The issue arises when these APIs are left accessible to unauthenticated users.

For example, NetSuite’s architecture includes a feature known as “loadRecord,” which allows data to be pulled from the server based on a record ID. If a misconfigured website allows public access, a bad actor could use this feature to pull sensitive information from the database without needing to authenticate.

Costello’s findings underscore the importance of understanding and properly configuring access controls within NetSuite. He emphasizes that while NetSuite restricts unauthenticated access to custom record types (CRTs), these protections can be bypassed if the CRTs are not correctly configured. The real danger lies in the fact that even when fields are restricted from public view, their existence—and sometimes their content—can still be inferred through certain API calls.

So, what can businesses do to protect themselves? Costello suggests a proactive approach, including tightening access controls at both the table and field levels within NetSuite. For fields that must be exposed, organizations should carefully assess the level of access granted to unauthenticated users. In severe cases of data exposure, temporarily taking a site offline may be the best course of action.

Costello’s research into NetSuite follows his previous work on similar vulnerabilities in other major SaaS platforms like ServiceNow and Salesforce. As the complexity of SaaS platforms grows, so too do the risks associated with them. Costello warns that unauthenticated data exposure is becoming one of the top threats facing enterprises today, particularly as vendors add new features to stay competitive.