Cybersecurity researchers are warning of the discovery of thousands of third-party Oracle NetSuite e-commerce sites that have been found to be vulnerable to leaking sensitive customer information.
“A potential issue in the NetSuite SuiteCommerce platform could allow attackers to gain access to sensitive data due to misconfiguration of access controls for custom record types (CRTs),” Aaron Costello of AppOmni said.
It should be emphasized here that the problem is not a lack of security in the NetSuite product, but a misconfiguration of the client that can lead to the leakage of sensitive data. Exposed information includes full addresses and mobile phone numbers of registered customers of e-commerce sites.
The attack scenario detailed by AppOmni uses CRTs that use table-level access control with a “No Permission Required” access type that allows unauthenticated users to access data using NetSuite’s record and search APIs.
However, for this attack to be successful, there are a number of prerequisites, the main of which is the need for the attacker to know the name of the CRTs being used.
To reduce the risk, it is recommended that site administrators tighten access controls to CRTs, set privacy fields to “None” for public access, and consider temporarily taking affected sites offline to prevent data disclosure.
“The simplest solution from a security perspective might involve changing the access type in the entry type definition to ‘Require permission for user entries’ or ‘Use permission list,'” Costello said.
The disclosure came as Cymulate detailed a way to manipulate the credential validation process in Microsoft Entra ID (formerly Azure Active Directory) and bypass authentication in hybrid identity infrastructures, allowing attackers to gain elevated privileges within a tenant and establish security.
The attack, however, requires the adversary to have administrator access on the server hosting the End-to-end Authentication Agent (PTA), a module that allows users to log into both on-premises and cloud applications using Entra ID. The problem is rooted in Entra ID when syncing multiple on-premises domains to a single Azure tenant.
“This issue occurs when end-to-end authentication agents (PTAs) incorrectly handle authentication requests for different local domains, leading to potential unauthorized access,” security researchers Ilan Kalendarov and Elad Beber said.
“This vulnerability effectively turns the PTA agent into a double agent, allowing an attacker to log in as any synced AD user without knowing their actual password; this could potentially grant access to the global admin user if such privileges were assigned.”
