Software as a Service (SaaS) security company AppOmni has warned administrators at companies using NetSuite’s SuiteCommerce platform about a common customer misconfiguration that could lead to a data leak.
Misconfigured access controls for custom record types (CRTs) could allow attackers to access sensitive data via the feature that enables external-facing stores, Aaron Costello, head of SaaS security research at AppOmni, said in a blog post on the company’s website on Thursday.
For administrators who want to mitigate this risk, Costello suggested they consider tightening access controls on the CRT, setting sensitive fields to “none” for public access and taking the site offline temporarily, the article said.
NetSuite did not immediately respond to PYMNTS’ request for comment.
In his blog post, Costello emphasized that the potential data leak was the result of a customer misconfiguration, not an issue with the product itself.
“Some media coverage of this issue has misrepresented this as a security vulnerability in NetSuite products,” Costello said in the post. “To be clear, this article is intended to help customers understand how NetSuite security works and how to address potential but common customer misconfigurations that could result in a data leak.”
According to the article, the attack vectors Costello identified were focused on sites built using SuiteCommerce, which could allow unauthorized customers to browse, register and purchase products.
This attack vector could affect thousands of public SuiteCommerce websites and allow criminals to steal record data from organizations with public sites, the post said.
“In many of these cases, organizations using NetSuite and with no intention of deploying a commercial store were completely unaware that their default inventory website was exposed when they purchased their instance,” Costello wrote. “In our observations of these sites, the most commonly exposed sensitive data was PII. [personally identifiable information] It contains the full address and mobile number of the registered customer.”
The report comes in what PYMNTS has dubbed the “Year of Cyberattacks.”
PYMNTS reported in July that data extortion and ransomware attacks had a major impact on businesses in the first half of 2024, with a number of attacks sending ripples across the market.
