For the past year, security researchers have urged the global shipping industry to maintain cyber defenses after several cargo thefts were linked to hackers. Researchers say they have seen sophisticated hacks targeting logistics companies to hijack and direct large numbers of customer products into the hands of criminals, which has become an alarming collusion between hackers and real-life organized crime gangs.
A vape delivery truck stolen here, a suspect lobster there.
One little-known and critical US shipping technology company has spent the past few months patching its own systems after discovering a simple vulnerability that inadvertently opened the door to a shipping platform open to anyone on the internet.
The company is Bluspark Global, a New York-based company whose shipping and supply chain platform, Bluvoyix, enables hundreds of large companies to ship products and track cargo as it travels around the world. While Bluspark may not be a household name, the company helps power most of the world’s cargo shipments, including retail giants, grocery stores, furniture manufacturers, and more. The company’s software is also used by several other companies affiliated with Bluspark.
Bluspark told TechCrunch this week that the security issue has now been resolved. The company fixed five flaws in the platform, including the use of plaintext passwords by employees and customers, and the ability to remotely access and interact with Bluvoyix shipping software. The flaw provided access to all customer data, including shipment records, dating back decades.
But for security researcher Eaton Zveare, who discovered a vulnerability in Bluspark’s system in October, alerting the company to a security flaw took longer than the discovery of the bugs themselves – because Bluspark had no known way to contact them.
In the present published post a blogZveare said submitted details of five defects in the Bluspark platform to Maritime Hacking Villagea non-profit organization that works to secure the maritime space and, as in this case, helps researchers to notify companies working in the maritime industry of active security flaws.
Weeks later, and after numerous emails, voicemails, and LinkedIn messages, the company has yet to respond to Zveare. After all, these flaws can still be exploited by anyone on the internet.
As a last resort, Zveare contacted TechCrunch in an attempt to flag the issue.
TechCrunch sent an email to Bluspark CEO Ken O’Brien and the company’s senior leadership alerting them to security concerns, but did not receive a response. TechCrunch later emailed customers of Bluspark, a US public retail company, to alert them of upstream security, but we haven’t heard back either.
The third time TechCrunch emailed Bluspark’s CEO, we included a partial copy of the password to demonstrate the seriousness of security.
A few hours later, TechCrunch received a response – from the law firm representing Bluspark.
Plaintext and unauthenticated API passwords
In a blog post, Zveare explained that he first discovered the vulnerability after visiting the website of a Bluspark customer.
Zveare wrote that the customer’s website has a contact form that allows potential customers to ask questions. By looking at the web page’s source code with the browser’s built-in tools, Zveare noticed that the form would send customer messages through Bluspark’s servers via an API. (The API allows two or more connected systems to communicate with each other over the internet; in this case, the website’s contact form and Bluspark’s customer inbox.)
Since the email submission code is embedded on the web page itself, this means that anyone can modify the code and misuse this form. send malicious emailssuch as phishing lures, come from real Bluspark customers.
Zveare pastes the API web address into the browser, which loads a page containing auto-generated API documentation. This web page is a master list all actions that can be performed with the company’s API, such as requesting a list of users who have access to the Bluspark platform, as well as creating new user accounts.
The API documentation page also has a feature that allows anyone to “test” the API by sending commands to retrieve data from the Bluspark server as a logged-in user.
Zveare found that the API, although the page claimed to require authentication to use, no password needed or trust to generate sensitive information from Bluspark servers.
Using only a list of API commands, Zveare can retrieve reams of user account records of employees and customers who use Bluspark’s platform, all unauthenticated. This includes username and password, ie appear in plaintext and unencrypted – including accounts associated with platform administrators.
With the admin username and password in hand, an attacker can log into this account and run away. As a good security researcher, Zveare cannot use these credentials, because using someone else’s password without their consent is illegal.
Since the API documentation lists commands that allow anyone create a new user with administrator access, Zveare goes ahead and does just that, and gets unlimited access to the Bluvoyix supply chain platform. Zveare said the administrator level of access allowed them to see customer data dating back to 2007.
Zveare discovered that after signing in with this newly created user, each API request was wrapped in a user-specific token, which was intended to ensure that the user was allowed to access the portal page every time they clicked on a link. But the token is not necessary to complete the command, allowing Zveare to send requests without a token at all, further confirming that the API is not authenticated.
Bugs persist, company drafts new security policy
After making contact with the Bluspark law firm, Zveare gave TechCrunch permission to share a copy of the vulnerability report with its representatives.
A few days later, the law firm said that Bluspark had resolved most of the defects and was working to retain a third-party company for an independent evaluation.
Zveare’s efforts to expose the bug highlight a common problem in the cybersecurity world. Companies often do not provide a way, such as publicly registered email addresses, to alert them to security vulnerabilities. As such, it can be a challenge for security researchers to publicly disclose security flaws that remain active, due to concerns that revealing details could endanger user data.
Ming Lee, a lawyer who represents Bluspark, told TechCrunch that the company is “confident in the measures taken to reduce the potential risks arising from the researchers’ findings,” but will not comment on the specifics of the vulnerabilities or fixes; say the third-party appraisal company retained, if any; or comment on certain security practices.
When asked by TechCrunch, Bluspark wouldn’t say whether it could determine whether any customer submissions were manipulated by people exploiting the bugs. Lee said there was “no indication of customer impact or malicious activity caused by the issues identified by investigators.” Bluspark would not say what evidence was needed to reach that conclusion.
Lee said Bluspark is planning to introduce a disclosure program, allowing outside security researchers to report bugs and defects to the company, but that discussion is still ongoing.
Bluspark CEO Ken O’Brien did not comment for this article.
To contact this reporter securely, you can reach Signal via the username: zackwhittaker.1337