Thousands of NetSuite stores are leaking sensitive data due to poor regulatory controls

How does this lead to misalignment?

Let’s assume that an administrator creates a CRT “No Permissions Required.” When adding custom fields, you want some fields to be readable by unauthorized users, so you set their Default Access Level to View; other fields that should not be read, he sets the Default Logging Level to None, assuming that the task is complete.

This will be incorrect because the “Default Search/Reporting Rate” (DLSR) setting is still in effect, even if the Default Access Rate is set to None. And this, Costello demonstrates, can be abused through the NetSuite API to read data from that field. The confusion here may be caused by the fact that fields with Default Access Level set to None cannot have their data read by the SuiteScript API loadRecord function, which is part of the N/record module and contains the most popular CRUD operations (create, read, update, delete). operations on individual records.

But there is a separate API function called nlapiSearchRecord, part of the N/search module, which can also be used to read data from record fields, and the permission of this API is defined by the DLSR configuration. The difference is that reading field values ​​with nlapiSearchRecord requires knowing the field name, while reading data with loadRecord requires knowing the field ID. Fortunately, the data available from the two APIs complement each other.


Source link