Hundreds of Oracle NetSuite e-commerce sites with external facing pages have been found, and cybersecurity researchers are warning the public about this discovery in case confidential customer data leaks.
Researchers studying cybersecurity are alerting the public to the discovery of hundreds of Oracle NetSuite e-commerce sites with external-facing pages that may be vulnerable to the leakage of private client data. “A potential issue in NetSuite’s SuiteCommerce platform could allow attackers to access sensitive data due to misconfigured access controls on custom record types (CRTs),” AppOmni’s Aaron Costello stated. It is important to note that this is not a security flaw in the NetSuite product; rather, the problem is a misconfiguration by the customer that may cause private information to leak out. The complete addresses and mobile phone numbers of the e-commerce sites’ registered users are among the details made public.
Using NetSuite’s record and search APIs, the attack scenario described by AppOmni takes advantage of CRTs that use table-level access restrictions with the “No Permission Required” access type, allowing unauthenticated users to access data. However, there are a few requirements that must be met for this assault to be successful, the most important of which is that the attacker must be aware of the names of the CRTs that are being used. Site managers should think about temporarily taking affected sites offline to prevent data disclosure, increase access controls on CRTs, and set sensitive fields to “none” for public access in order to reduce the risk.” Changing the record type definition’s Access Type to ‘Require Custom Record Entries Permission’ or ‘Use Permission’ may be the simplest security option.
The revelation coincides with Cymulate’s publication of a method for tricking Microsoft Entra ID’s (previously Azure Active Directory) credential validation procedure and getting around authentication in hybrid identity infrastructures. This lets attackers log in with elevated privileges inside the tenant and create persistent access. But in order to carry out the attack, an adversary must have administrator access to a server that houses a Pass-Through Authentication (PTA) agent, a module that enables users to use Entra ID to log into both on-premises and cloud-based applications. When syncing numerous on-premises domains to a single Azure tenancy, the problem stems from Entra ID.
Security experts Ilan Kalendarov and Elad Beber stated that this problem occurs when authentication requests are processed incorrectly by pass-through authentication (PTA) agents for various on-prem domains, potentially resulting in unauthorized access. “This vulnerability effectively turns the PTA agent into a double agent, allowing attackers to log in as any synced AD user without knowing their actual password; this could potentially grant access to a global admin user if such privileges were assigned.”
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
