For the past year, security researchers have been urging the global shipping industry to shore up their cyber defenses after a spate of cargo thefts were linked to hackers. The researchers say they have seen elaborate hacks targeting logistics companies to hijack and redirect large amounts of their customers’ products into the hands of criminals, in what has become an alarming collusion between hackers and real-life organized crime gangs.
A delivery truck of stolen vapes here, a suspected lobster heist there.
One little-known and critical U.S. shipping tech company has spent the last few months patching its own systems following the discovery of a raft of simple vulnerabilities, which inadvertently left the doors to its shipping platform wide open to anyone on the internet.
The company is Bluspark Global, a New York-based firm whose shipping and supply chain platform, Bluvoyix, allows hundreds of big companies to transport their products and track their cargo as it travels across the globe. While Bluspark may not be a household name, the company helps to power a large slice of worldwide freight shipments, including retail giants, grocery stores, furniture makers, and more. The company’s software is also used by several other companies affiliated with Bluspark.
Bluspark told TechCrunch this week that its security issues are now resolved. The company fixed five flaws in its platform, including the use of plaintext passwords by employees and customers, and the ability to remotely access and interact with Bluvoyix’s shipping software. The flaws exposed access to all of the customer’s data, including their shipment records, dating back decades.
But for security researcher Eaton Zveare, who uncovered the vulnerabilities in Bluspark’s systems back in October, alerting the company to the security flaws took longer than the discovery of the bugs themselves — since Bluspark had no discernable way to contact it.
In a now-published blog post, Zveare said he submitted details of the five flaws in Bluspark’s platform to the Maritime Hacking Village, a non-profit that works to secure maritime space and, as with this case, helps researchers to notify companies working in the maritime industry of active security flaws.
Weeks later and following multiple emails, voicemails, and LinkedIn messages, the company had not responded to Zveare. All the while, the flaws could still be exploited by anyone on the internet.
As a last resort, Zveare contacted TechCrunch in an effort to get the issues flagged.
TechCrunch sent emails to Bluspark CEO Ken O’Brien and the company’s senior leadership alerting them to a security lapse, but did not receive a response. TechCrunch later emailed a Bluspark customer, a U.S. publicly traded retail company, to alert them of the upstream security lapse, but we also did not hear back.
On the third time TechCrunch emailed Bluspark’s CEO, we included a partial copy of his password to demonstrate the seriousness of the security lapse.
A couple of hours later, TechCrunch received a response — from a law firm representing Bluspark.
Plaintext passwords and an unauthenticated API
In his blog post, Zveare explained he initially discovered the vulnerabilities after visiting the website of a Bluspark customer.
Zveare wrote that the customer’s website had a contact form that allowed prospective customers to make inquiries. By viewing the web page source code with his browser’s built-in tools, Zveare noticed the form would send the customer’s message through Bluspark’s servers via its API. (An API allows two or more connected systems to communicate with each other over the internet; in this case, a website contact form and the Bluspark customer’s inbox.)
Since the email-sending code was embedded in the webpage itself, this meant it was possible for anyone to modify the code and abuse this form to send malicious emails, such as phishing lures, originating from a real Bluspark customer.
Zveare pasted the API’s web address into his browser, which loaded a page containing the API’s auto-generated documentation. This web page was a master list of all the actions that can be performed with the company’s API, such as requesting a list of users who have access to Bluspark’s platforms, as well as creating new user accounts.
The API documentation page also had a feature allowing anyone the ability to “test” the API by submitting commands to retrieve data from Bluspark’s servers as a logged-in user.
Zveare found that the API, despite the page claiming that it required authentication to use, did not need a password or any credentials to return sensitive information from Bluspark’s servers.
Using only the list of API commands, Zveare was able to retrieve reams of user account records of employees and customers who use Bluspark’s platform, entirely unauthenticated. This included usernames and passwords, which were visible in plaintext and not encrypted — including an account associated with the platform’s administrator.
With the admin’s username and password in hand, an attacker could have logged into this account and run amok. As a good-faith security researcher, Zveare could not use the credentials, as using someone else’s password without their permission is unlawful.
Since the API documentation listed a command that allowed anyone to create a new user with administrator access, Zveare went ahead and did just that, and got unrestricted access to its Bluvoyix supply chain platform. Zveare said the administrator’s level of access allowed the viewing of customer data as far back as 2007.
Zveare found that once logged in with this newly created user, each API request was wrapped in a user-specific token, which was meant to ensure the user was in fact allowed to access a portal page each time they clicked on a link. But the token was not necessary to complete the command, allowing Zveare to send requests without the token altogether, further confirming that the API was unauthenticated.
Bugs fixed, company plans new security policy
After establishing contact with Bluspark’s law firm, Zveare gave TechCrunch permission to share a copy of his vulnerability report with its representatives.
Days later, the law firm said Bluspark had remediated most of the flaws and was working to retain a third-party company for an independent assessment.
Zveare’s efforts to disclose the bugs highlight a common problem in the cybersecurity world. Companies oftentimes do not provide a way, such as a publicly listed email address, to alert them about security vulnerabilities. As such, this can make it challenging for security researchers to publicly reveal security flaws that remain active, out of concerns that disclosing details could put users’ data at risk.
Ming Lee, an attorney representing Bluspark, told TechCrunch on Tuesday the company is “confident in the steps taken to mitigate potential risk arising from the researcher’s findings,” but would not comment on specifics of the vulnerabilities or their fixes; say which third-party assessment company it retained, if any; or comment on its specific security practices.
When asked by TechCrunch, Bluspark would not say if it was able to ascertain if any of its customer shipments had been manipulated by someone maliciously exploiting the bugs. Lee said there was “no indication of customer impact or malicious activity attributable to the issues identified by the researcher.” Bluspark would not say what evidence it had to reach that conclusion.
Lee said Bluspark was planning to introduce a disclosure program, allowing outside security researchers to report bugs and flaws to the company, but that its discussions were still underway.
Bluspark CEO Ken O’Brien did not provide comment for this article.
To securely contact this reporter, you can reach out using Signal via the username: zackwhittaker.1337
