Researchers find new flaw in Oracle's MICROS retail systems

Vulnerability allows unauthorised access to sensitive data

Cyber researchers have discovered a new security flaw that allows crooks to tap into Oracle's MICROS retail systems and steal sensitive data.

Oracle's point-of-sale (POS) terminals are used in more than 200,000 food and beverage outlets as well as 30,000 hotels in an estimated 180 countries globally.

Specialists at application security vendor ERPScan note that Oracle had already issued a patch for the vulnerability but that many vendors failed to implement it, leaving themselves exposed to attackers.

"Being business-critical and always busy, the systems cannot be updated immediately," said the researchers.

The problem lies with the firm's payment terminals. Hackers can access and read files from the system without needing any authentication. They can then can gain access to the configuration file that stores sensitive information including passwords.

Defined as a "directory traversal vulnerability", the ERPScan specialists describe the vulnerability as "severe", giving it an 8.1 CVSS v3 score.

"The security issue allows full access to the OS that will be subject to such risks as espionage, sabotage or fraud. Cyber criminals may exploit the system in different ways depending on their needs; for example, pilfer credit card numbers," explained the research team in a blog post.

Alexander Polyakov, chief technology officer of ERPScan, said MICROS is a lucrative target for hackers. "POS systems directly process and transmit our payment orders, so it's self-evident that they are extremely important and valuable," he explained.

"We use them on the daily basis and hope to be secure from thefts. As a user, I want to rest safe and to avoid any problem while making payments with my card. We worry for the security of our money, and it makes sense."

This isn't the first time MICROS has been found to be vulnerable. In 2016, hackers were able to get into MICROS by compromising the customer support portal.