Cybersecurity researchers are warning of the discovery of thousands of Oracle NetSuite external e-commerce sites that were found to be leaking sensitive visitor information.
“A potential factor in NetSuite’s SuiteCommerce platform could allow attackers to access sensitive data due to misconfigured controls on traditional record types (CRTs),” said AppOmni’s Aaron Costello.
It is worth emphasizing here that the challenge is not a security flaw in the NetSuite product, but rather a consumer misconfiguration that may simply lead to a leak of sensitive data. The exposed data includes the full addresses and cell phone numbers of registered consumers of e-commerce sites.
The detailed attack scenario through AppOmni leverages CRTs that use table-level access controls with the “No Permission Required” access type, which grants unauthenticated users access to NetSuite’s save and search knowledge APIs.
That said, for this attack to be successful there are a number of prerequisites, the main one being that the attacker must know the call of the CRTs used.
To mitigate risk, it is recommended that site directors strengthen access controls to CRTs, set sensitive fields to “None” for public access, and temporarily take affected sites offline to avoid exposure of their knowledge.
“The simplest solution from a security standpoint would possibly involve converting the record type definition type to ‘Require permission for traditional log entries’ or ‘Use the allow list,'” Costello said.
The disclosure comes as Cymulate detailed a way to manipulate the credential validation procedure in Microsoft Entra ID (formerly Azure Active Directory) and bypass authentication in hybrid identity frameworks, allowing attackers to log in with higher privileges within the tenant and identify persistence.
However, the attack requires an adversary to have administrator access to a server that hosts a Pass-Through Authentication Agent (PTA), a module that allows users to log in to local and cloud programs Enter ID. Enter ID when syncing multiple on-premises domain names with a single Azure tenant.
“This factor arises when authentication requests are mishandled through pass-through authentication agents (PTAs) for other local domains, leading to unauthorized access,” said security researchers Ilan Kalendarov and Elad Beber.
“This vulnerability transforms the PTA agent into a dual agent, allowing attackers to log in as a synchronized AD user without knowing its actual password; this could potentially be granted to a global administrator user if such privileges were assigned. “
Watch experts simulate genuine threats to demonstrate compelling benefits.
Get practical steps and equipment to take advantage of the full possibilities of GenAI while protecting your sensitive data.
Get the latest news, expertise, exclusive resources, and industry leaders for free.