Close Menu
Edu Expertise Hub
    Facebook X (Twitter) Instagram
    Saturday, July 5
    • About us
    • Contact
    • Submit Coupon
    Facebook X (Twitter) Instagram YouTube
    Edu Expertise Hub
    • Home
    • Udemy Coupons
    • Best Online Courses and Software Tools
      • Business & Investment
      • Computers & Internet
      • eBusiness and eMarketing
    • Reviews
    • Jobs
    • Latest News
    • Blog
    • Videos
    Edu Expertise Hub
    Home » Latest News » Thousands of NetSuite customers accidentally exposing their data
    Latest News

    Thousands of NetSuite customers accidentally exposing their data

    TeamBy TeamAugust 17, 2024No Comments4 Mins Read0 Views
    Facebook Twitter Pinterest LinkedIn Telegram Tumblr Email
    Thousands of NetSuite customers accidentally exposing their data
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Thousands of organisations using NetSuite SuiteCommerce are unknowingly exposing their most sensitive data as a result of misconfigured access controls in custom record types (CRTs) contained in their SuiteCommerce instances, researchers are claiming.

    According to Aaron Costello, chief of software-as-a-service (SaaS) research at AppOmni, the impact of this misconfiguration is to unintentionally and unknowingly create and deploy a public-facing, default stock website through which data can be exfiltrated with relative ease.

    He said that many of the affected users had absolutely no idea they were leaking data by the bucket-load as a result.

    In many cases, this included the personally identifiable information (PII) of registered customers, including postal addresses and mobile phone numbers.

    “NetSuite is one of the world’s leading enterprise resource planning [ERP] systems and handles business-critical data for thousands of organisations,” said Costello, who has previously uncovered similar issues affecting customers of other major-league SaaS suppliers such as Salesforce and ServiceNow.

    “My research found that thousands of these organisations are leaking sensitive customer data to the public through misconfigurations in their access controls,” he said. “The sheer scale at which I found these exposures to be occurring is significant.

    “Many organisations are struggling to implement and maintain a robust SaaS security programme,” said Costello. “Through research like this, AppOmni strives to educate and equip organisations so that they may be better prepared to identify and tackle both known and unknown risks to their SaaS applications.”

    How it works

    One of the most widely used features of NetSuite’s ERP platform is the ability to deploy a public store using SuiteCommerce or SiteBuilder. These are deployed on a subdomain of the user’s NetSuite tenant and enable unauthenticated customers to register, browse and buy their products directly – the main benefit being to provide both e-commerce and back-office capabilities in one platform, thus streamlining order processing, fulfilment and inventory management.

    Each of these deployed sites contains two types of data table, a standard record type (SRT), which is more heavily locked-down, and the above-mentioned CRT, which is used to store custom data and considered more flexible because it can be configured per the user’s needs. However, according to Costello, it’s relatively easy to miss the various settings needed to properly configure access to each data field.

    Therefore, if proper attention has not been paid to locking down access controls for the CRTs, they become vulnerable to a malicious application programming interface (API) call via which a threat actor could – if they became aware of the CRT’s name – exfiltrate the data.

    Costello reiterated that the issue is not the result of any known vulnerability in NetSuite’s product suite, but rather the result of inadvertent actions taken by the users themselves when setting up their instances.

    Fixing the problem

    Unfortunately, it’s not possible at this time to determine whether or not your organisation has fallen victim to data exfiltration as a result of this set of circumstances. This is because at the time of writing, NetSuite does not provide transaction logs to determine malicious use of client-side APIs.

    In the absence of this information, users are best advised to look through AppOmni’s in-depth write-up, which includes a full technical breakdown and proof-of-concept (PoC), and if you notice an attack pattern similar to that proposed by Costello, the advice is to contact NetSuite support and request the raw log data.

    The only guaranteed way to avoid the issue is to harden access controls on CRTs, which will involve changing access permissions or definitions. This may impact some legitimate business needs and even force legitimate websites offline, so admins are advised to tread very carefully – the task may prove a laborious one.

    Top threats to enterprises

    Costello said it was becoming clear that unauthenticated data exposure via SaaS applications is now among the top threats to enterprises, and with increasingly complex functionality heading down the pipe, this would only heighten the risk.

    “Organisations attempting to tackle this issue will face difficulties in doing so, as it is often just through bespoke research that these avenues of attack can be uncovered,” he wrote.

    “Security teams and platform administrators don’t have the time and resources required to address these issues, particularly large enterprises that have operationalised several enterprise SaaS applications to fulfil multiple demands across their lines of business.”

    This post is exclusively published on eduexpertisehub.com

    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Team

      Related Posts

      From the FBI to F&A: lessons learnt in safeguarding systems and data

      July 5, 2025

      Supreme Court Ruling Highlights Continued Power Struggle Over LGBTQ+ Books in Schools

      July 5, 2025

      10 (and counting…) Google goodies for your classroom

      July 4, 2025

      Air France-KLM to increase intelligence of bots that have saved 200,000 hours

      July 4, 2025

      Large Public Libraries Give Young Adults Across U.S. Access to Banned Books

      July 3, 2025

      5 strategies to get your students talking

      July 3, 2025
      Courses and Software Tools

      Extreme Privacy: What It Takes to Disappear

      August 24, 202454 Views

      Modern C++ Programming Cookbook: Master Modern C++ with comprehensive solutions for C++23 and all previous standards

      September 18, 202427 Views

      Meebook E-Reader M7 | 6.8′ Eink Carta Screen | 300PPI Smart Light | Android 11 | Ouad Core Processor | Out Speaker | Support Google Play Store | 3GB+32GB Storage | Micro-SD Slot | Gray

      August 19, 202422 Views

      HR from the Outside In: Six Competencies for the Future of Human Resources

      May 20, 202517 Views

      Coders at Work: Reflections on the Craft of Programming

      April 19, 202516 Views
      Reviews

      Fundraising For Creators With Cryptocurrency Crowdfunding | Udemy Coupons 2025

      July 5, 2025

      Software Development Engineer – FBDA, Fire TV Channels, FBDA Video Ads

      July 5, 2025

      C# 12 and .NET 8 – Modern Cross-Platform Development Fundamentals: Start building websites and services with ASP.NET Core 8, Blazor, and EF Core 8

      July 5, 2025

      Options Trading Simplified For Beginners: Master The Essential Options Skills For Generational Wealth Even With A Small Account

      July 5, 2025

      The Anywhere Operating System: How to lead a team and run your business from anywhere

      July 5, 2025
      Stay In Touch
      • Facebook
      • YouTube
      • TikTok
      • WhatsApp
      • Twitter
      • Instagram
      Latest News

      From the FBI to F&A: lessons learnt in safeguarding systems and data

      July 5, 2025

      Supreme Court Ruling Highlights Continued Power Struggle Over LGBTQ+ Books in Schools

      July 5, 2025

      10 (and counting…) Google goodies for your classroom

      July 4, 2025

      Air France-KLM to increase intelligence of bots that have saved 200,000 hours

      July 4, 2025

      Large Public Libraries Give Young Adults Across U.S. Access to Banned Books

      July 3, 2025
      Latest Videos

      What is Digital Marketing? Scope, Earnings & Who Can Start a Career in It Hammad’s Digital Hub

      July 5, 2025

      Just trend #gacha #memecreator #gachaclub #gcmeme #gachalife #trend #gachememe #edit #memes

      July 4, 2025

      Kenley Jansen notches his 1,000th career MLB strikeout | August 25, 2021 | Dodgers @ Padres

      July 3, 2025

      Top 5 Cyber Security Jobs in India || Cyber Security Career 2024

      July 2, 2025

      Navigate Your Marketing Career with Expert Mentorship | NIMS Academy Success Guide

      July 1, 2025
      Latest Jobs

      Software Development Engineer – FBDA, Fire TV Channels, FBDA Video Ads

      July 5, 2025

      Youth Programs – Dance Class Instructor

      July 5, 2025

      Part Time Educator (South River, NJ)

      July 5, 2025

      Occupational Therapist – Full, Part Time & PRN Skilled Nursing Community

      July 5, 2025

      Lease Servicing Specialist II

      July 5, 2025
      Legal
      • Home
      • Privacy Policy
      • Cookie Policy
      • Terms and Conditions
      • Disclaimer
      • Affiliate Disclosure
      • Amazon Affiliate Disclaimer
      Latest Udemy Coupons

      Mastering Maxon Cinema 4D 2024: Complete Tutorial Series | Udemy Coupons 2025

      August 22, 202435 Views

      Advanced Program in Human Resources Management | Udemy Coupons 2025

      April 5, 202531 Views

      Diploma in Aviation, Airlines, Air Transportation & Airports | Udemy Coupons 2025

      March 21, 202530 Views

      Python Development & Data Science: Variables and Data Types | Udemy Coupons 2025

      May 24, 202521 Views

      Time Management and Timeboxing in Business, Projects, Agile | Udemy Coupons 2025

      April 2, 202521 Views
      Blog

      3 Ways To Network Over Summer Vacation And Grow Your Career

      July 3, 2025

      Why Community Is Your Most Valuable Career Asset In 2025

      June 28, 2025

      What Employers Are Really Looking For In Job Interviews

      June 27, 2025

      The Best Way to End a Cover Letter (With 4 Winning Examples)

      June 26, 2025

      5 Job Interview Secrets To Beat The Competition

      June 25, 2025
      Facebook X (Twitter) Instagram Pinterest YouTube Dribbble
      © 2025 All rights reserved!

      Type above and press Enter to search. Press Esc to cancel.

      We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
      .
      SettingsAccept
      Privacy & Cookies Policy

      Privacy Overview

      This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
      Necessary
      Always Enabled
      Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
      Non-necessary
      Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
      SAVE & ACCEPT