Thousands of websites using Oracle NetSuite could have personal information, including phone numbers and addresses, due to a misconfiguration in its SuiteCommerce offering that enables unauthorized record retrieval, SC Media reports. Such an issue could be leveraged by attackers to fetch most user records via HTML requests, according to an AppOmni analysis.
"The most common API used to perform operations on individual records in NetSuite is through the 'record' API. The functions exposed by this API grant the ability to perform varying CRUD operations, conveniently accessible from the client side," said AppOmni Chief of SaaS Security Research Aaron Costello.
Addressing such an issue was also noted by Costello to be challenging amid the obliviousness of many to site compromise, as well as the inaccessibility of NetSuite transaction logs that could be beneficial in detecting malicious API utilization.
"If you suspect that your organization may have been the victim of an attack that resembled a pattern similar to what was discussed in this blog post, we recommend contacting NetSuite support and requesting the raw log data," Costello added.
