In the past year, security researchers have been urging the global shipping industry to strengthen cyber defenses after a series of cargo thefts linked to hackers. Researchers say they have seen elaborate hacks targeting logistics companies to steal and divert large quantities of their customers’ products into the hands of criminals, in what has become a worrying collusion between hackers and organized crime gangs.
A stolen vapor delivery truck here, a suspected lobster robbery there.
A little-known and critical US shipping technology company has spent the past few months patching its own systems after discovering a series of simple vulnerabilities that inadvertently left the doors of its shipping platform wide open to anyone on the Internet.
The company is Bluspark Global, a New York-based company whose shipping and supply chain platform, Bluvoyix, enables hundreds of large companies to transport their products and track their cargo as it travels around the world. While Bluspark may not be well-known, the company helps power a large segment of global freight forwarding, including retail giants, grocers, furniture manufacturers and more. The company’s software is also used by many other companies affiliated with Bluspark.
Bluspark told TechCrunch this week that its security issues have now been resolved. The company fixed five flaws in its platform, including the use of plaintext passwords by employees and customers and the ability to remotely access and interact with Bluvoyix’s shipping software. The flaws revealed access to all customer data, including their shipping records, dating back decades.
But for security researcher Eaton Zveare, who uncovered the vulnerabilities in Bluspark’s systems in October, notifying the company of the security flaws took longer than discovering the bugs themselves — since Bluspark had no way to contact her.
In a published now blog postZveare said he submitted details of the five flaws in Bluspark’s platform to Maritime Hacking Villagea non-profit organization that works to secure the maritime space and, as in this case, helps investigators notify companies working in the shipping industry of active security flaws.
Weeks later, and after numerous emails, voicemails and LinkedIn messages, the company had not heard back from Zveare. All the while, the flaws could still be exploited by anyone on the Internet.
As a last resort, Zveare reached out to TechCrunch in an attempt to highlight the issues.
TechCrunch sent emails to Bluspark CEO Ken O’Brien and the company’s senior leadership notifying them of a security flaw, but did not receive a response. TechCrunch later emailed a customer of Bluspark, a US-listed retailer, to alert them of the upstream security flaw, but we also haven’t heard back.
The third time TechCrunch emailed Bluspark’s CEO, we included a partial copy of his password to demonstrate the severity of the security breach.
A few hours later, TechCrunch received a response — from a law firm representing Bluspark.
Plain text passwords and unverified API
In his blog post, Zveare explained that he first discovered the vulnerabilities after visiting a Bluspark customer’s website.
Zveare wrote that the client’s website had a contact form that allowed prospective clients to ask questions. Viewing the website’s source code with his browser’s built-in tools, Zveare noticed that the form would send the client’s message through Bluspark’s servers via its API. (An API allows two or more connected systems to communicate with each other over the Internet; in this case, a website contact form and Bluspark client inbox.)
Since the email sending code was embedded in the website itself, this meant that it was possible for anyone to modify the code and abuse this form sending malicious emailssuch as phishing lures, sourced from a real Bluspark customer.
Zveare pasted the API web address into his browser, which loaded a page containing the automatically generated API documentation. This website was a main list of all actions that can be performed with the company’s API, such as requesting a list of users who have access to Bluspark’s platforms, as well as creating new user accounts.
The API documentation page also had a feature that allowed anyone to “test” the API by submitting commands to retrieve data from Bluspark’s servers as a logged in user.
Zveare found that the API, despite the page claiming it required authentication to use, no password needed or any credentials to return sensitive information from Bluspark’s servers.
Using only the list of API commands, Zveare was able to retrieve groups of employee and customer user account files using Bluspark’s platform, completely without authentication. This included usernames and passwords, which they were visible in plain text and not encrypted — including an account associated with the platform administrator.
With the admin username and password in hand, an attacker could have logged into that account and run amok. As a bona fide security researcher, Zveare could not use the credentials, as using someone else’s password without their permission is illegal.
Since the API documentation listed a command that allowed anyone create a new user with admin access, Zveare went ahead and did just that and gained unlimited access to the Bluvoyix supply chain platform. Zveare said the administrator’s level of access allowed customer data to be viewed as far back as 2007.
Zveare found that once he connected to this newly created user, each API request was wrapped in a user-specific token, which was meant to ensure that the user was actually accessing a portal page whenever he clicked on a link. But the token was not necessary to complete the command, allowing Zveare to send requests without the token altogether, further confirming that the API was unauthenticated.
Bugs fixed, company plans new security policy
After contacting Bluspark’s law firm, Zveare gave TechCrunch permission to share a copy of his vulnerability report with its representatives.
Days later, the law firm said Bluspark had remedied most of the defects and was working to retain a third-party firm for an independent evaluation.
Zveare’s efforts to expose the bugs highlight a common problem in the cybersecurity world. Companies often do not provide a way, such as a publicly listed email address, to notify them of security vulnerabilities. As such, this can make it difficult for security researchers to publicly disclose security flaws that remain active, due to concerns that revealing details could put user data at risk.
Ming Lee, a lawyer representing Bluspark, told TechCrunch on Tuesday that the company is “confident in the steps being taken to mitigate the potential risk arising from the researcher’s findings,” but did not comment on specifics about the vulnerabilities or their fixes. say which third-party rating agency it has retained, if any; or comment on its specific security practices.
When asked by TechCrunch, Bluspark did not say whether it had been able to ascertain whether any of its customers’ shipments had been manipulated by someone maliciously exploiting the bugs. Lee said there was “no indication of customer impact or malicious activity attributable to the issues identified by the investigator.” Bluspark did not say what evidence it had to reach that conclusion.
Lee said Bluspark planned to introduce a disclosure program, allowing outside security researchers to report bugs and flaws to the company, but that its discussions were still ongoing.
Bluspark CEO Ken O’Brien did not comment for this article.
To contact this reporter securely, you can contact using Signal via username: zackwhittaker.1337
