Oracle Micros point-of-sale system vulnerability puts business data at risk

A high-risk security bug in Oracle's Micros point-of-sale systems could be leveraged to compromise and download a company's entire business data.

The vulnerability, discovered by ERPScan security researcher Dmitry Chastuhin, allows an attacker to gain unauthenticated read and write access to the point-of-sale server's database.

ERPScan, which has a commercial stake in the space, said in a blog post that an attacker with access to a vulnerable device can read local files to obtain usernames and passwords to gain full access the database.

That can include customer names, email addresses, dates of birth, phone numbers, total sales, debit and credit cards, and information about different promotions and discounts that attackers can alter.

The flaw is classified as an 8.1 out of 10 for its severity.

The researchers said that the vulnerability is exploitable by those with access to a vulnerable Micros point-of-sale device, such as an employee.

Not knowing if a device can be exploited, a semi-adept attacker could scan the network for vulnerable devices. That might not be so difficult when various devices and machines around the store are also ethernet-connected, making a plug and play-style attack easier than others.

Oracle said it fixed the flaw earlier this month as part of its quarterly patching schedule, prompting ERPScan to publish proof-of-concept code for the bug.

Oracle said the complexity of the attack was "high," but agreed that the vulnerability was at the high end of the severity scale.

Point-of-sale devices are notoriously vulnerable to attacks. The same security research company, which specializes in point-of-sale device security, discovered a way to trick a terminal into accepting any price -- even a single dollar --for premium products, like computers and phones.

Earlier this year, Forever 21 confirmed its pay terminals had malware installed for more than six months, putting thousands of customers at risk of credit card fraud.

Oracle did not respond to a request for comment.

ZDNET INVESTIGATIONS

Researchers say a breathalyzer has flaws, casting doubt on countless convictions

Lawsuits threaten infosec research — just when we need it most

NSA's Ragtime program targets Americans, leaked files show

Leaked TSA documents reveal New York airport's wave of security lapses

US government pushed tech firms to hand over source code

Millions of Verizon customer records exposed in security lapse

Meet the shadowy tech brokers that deliver your data to the NSA

Inside the global terror watchlist that secretly shadows millions

198 million Americans hit by 'largest ever' voter records leak

Britain has passed the 'most extreme surveillance law ever passed in a democracy'

Microsoft says 'no known ransomware' runs on Windows 10 S — so we tried to hack it

Leaked document reveals UK plans for wider internet surveillance

• Researchers say a breathalyzer has flaws, casting doubt on countless convictions
• Lawsuits threaten infosec research — just when we need it most
• NSA's Ragtime program targets Americans, leaked files show
• Leaked TSA documents reveal New York airport's wave of security lapses
• US government pushed tech firms to hand over source code
• Millions of Verizon customer records exposed in security lapse
• Meet the shadowy tech brokers that deliver your data to the NSA
• Inside the global terror watchlist that secretly shadows millions
• 198 million Americans hit by 'largest ever' voter records leak
• Britain has passed the 'most extreme surveillance law ever passed in a democracy'
• Microsoft says 'no known ransomware' runs on Windows 10 S — so we tried to hack it
• Leaked document reveals UK plans for wider internet surveillance