A high-risk security bug in Oracle's Micros point-of-sale systems could be leveraged to compromise and download a company's entire business data.
The vulnerability, discovered by ERPScan security researcher Dmitry Chastuhin, allows an attacker to gain unauthenticated read and write access to the point-of-sale server's database.
ERPScan, which has a commercial stake in the space, said in a blog post that an attacker with access to a vulnerable device can read local files to obtain usernames and passwords to gain full access the database.
That can include customer names, email addresses, dates of birth, phone numbers, total sales, debit and credit cards, and information about different promotions and discounts that attackers can alter.
The flaw is classified as an 8.1 out of 10 for its severity.
The researchers said that the vulnerability is exploitable by those with access to a vulnerable Micros point-of-sale device, such as an employee.
Not knowing if a device can be exploited, a semi-adept attacker could scan the network for vulnerable devices. That might not be so difficult when various devices and machines around the store are also ethernet-connected, making a plug and play-style attack easier than others.
Oracle said it fixed the flaw earlier this month as part of its quarterly patching schedule, prompting ERPScan to publish proof-of-concept code for the bug.
Oracle said the complexity of the attack was "high," but agreed that the vulnerability was at the high end of the severity scale.
Point-of-sale devices are notoriously vulnerable to attacks. The same security research company, which specializes in point-of-sale device security, discovered a way to trick a terminal into accepting any price -- even a single dollar --for premium products, like computers and phones.
Earlier this year, Forever 21 confirmed its pay terminals had malware installed for more than six months, putting thousands of customers at risk of credit card fraud.
Oracle did not respond to a request for comment.