New security flaws in Oracle MICROS retail systems could expose hundreds of thousands of shops and restaurants around the world to cyber thefts, security researchers have warned.
Oracle's MICROS-branded point-of-sale (POS) terminals are used in more than 200,000 food and beverage outlets, as well as 30,000 hotels, in an estimated 180 countries globally.
Specialists at application security vendor ERPScan note that Oracle had already issued a patch for the vulnerability but that many operators have failed to implement it, leaving themselves wide open to attack.
"Being business-critical and always busy, the systems cannot be updated immediately," said the researchers.
The security issue allows full access to the operating system, which will be subject to such risks as espionage, sabotage or fraud
The problem lies with the payment terminals. Hackers can access and read files from the system without requiring any authentication. They can then can gain access to the configuration file that stores sensitive information, including passwords.
Defined as a "directory traversal vulnerability", the ERPScan specialists categorised the vulnerability as "severe", with the flaw being assigned an 8.1 CVSS v3 score.
"The security issue allows full access to the operating system, which will be subject to such risks as espionage, sabotage or fraud. Cyber criminals may exploit the system in different ways depending on their needs; for example, pilfer credit card numbers," explained the research team in a blog post.
Alexander Polyakov, chief technology officer of ERPScan, said Oracle MICROS terminals are a key target for hackers. "POS [point of sale] systems directly process and transmit our payment orders, so it's self-evident that they are extremely important and valuable," he said.
"We use them on the daily basis and hope to be secure from thefts. As a user, I want to rest safe and to avoid any problem while making payments with my card. We worry for the security of our money, and it makes sense."
This isn't the first time MICROS has been found to be vulnerable. In 2016, hackers were able to get into MICROS by compromising the customer support portal.
Facebook told by Brussels-based court to stop tracking non-users and to delete all data held on them
Supply chain and manufacturing experience could give Dyson an important edge
New VR Zone Portal arcades open in London and Tunbridge Wells
Systems-on-a-chip with integrated AI features could make voice and facial recognition