For the past year, security researchers have been urging the global shipping industry to shore up its cyber defenses after a spate of cargo thefts were linked to hackers. The researchers describe elaborate hacks targeting logistics companies to hijack and redirect large amounts of their customers’ products into the hands of criminals. This represents an alarming collusion between hackers and real-life organized crime gangs, with incidents ranging from a delivery truck of stolen vapes to a suspected lobster heist.
One little-known but critical U.S. shipping tech company has spent the last few months patching its own systems following the discovery of a raft of simple vulnerabilities. These flaws inadvertently left the doors to its shipping platform wide open to anyone on the internet.
The company is Bluspark Global, a New York-based firm whose shipping and supply chain platform, Bluvoyix, allows hundreds of large companies to transport their products and track their cargo globally. While Bluspark may not be a household name, it helps power a large slice of worldwide freight shipments for retail giants, grocery stores, furniture makers, and more. The company’s software is also used by several other affiliated companies.
Bluspark stated this week that its security issues are now resolved. The company fixed five flaws in its platform, including the use of plaintext passwords by employees and customers and the ability to remotely access and interact with Bluvoyix’s shipping software. The flaws exposed access to all customer data, including shipment records dating back decades.
However, for security researcher Eaton Zveare, who uncovered the vulnerabilities in Bluspark’s systems back in October, alerting the company to the security flaws took longer than discovering the bugs themselves. This was because Bluspark had no discernable way for outsiders to contact it.
Zveare submitted details of the five flaws to the Maritime Hacking Village, a non-profit that works to secure the maritime space and helps researchers notify companies of active security flaws. Weeks later, after multiple emails, voicemails, and LinkedIn messages, the company had not responded. All the while, the flaws remained exploitable by anyone on the internet.
As a last resort, Zveare contacted a news outlet in an effort to get the issues flagged. The outlet sent emails to Bluspark CEO Ken O’Brien and the company’s senior leadership alerting them to the security lapse but received no response. The outlet later emailed a Bluspark customer, a U.S. publicly traded retail company, to alert them of the upstream security lapse, but also heard nothing back.
On the third attempt, the outlet included a partial copy of the CEO’s password to demonstrate the seriousness of the lapse. A couple of hours later, a response arrived from a law firm representing Bluspark.
Zveare explained he initially discovered the vulnerabilities after visiting the website of a Bluspark customer. The customer’s website had a contact form that sent messages through Bluspark’s servers via its API. Since the email-sending code was embedded in the webpage, anyone could modify the code to abuse this form and send malicious emails originating from a real Bluspark customer.
Zveare pasted the API’s web address into his browser, which loaded a page containing the API’s auto-generated documentation. This page was a master list of all actions that could be performed with the company’s API, such as requesting a list of platform users or creating new user accounts.
The API documentation page also had a feature allowing anyone to “test” the API by submitting commands to retrieve data from Bluspark’s servers as a logged-in user. Zveare found the API did not require a password or any credentials to return sensitive information, despite claims that authentication was needed.
Using only the list of API commands, Zveare was able to retrieve reams of user account records for employees and customers, entirely unauthenticated. This included usernames and passwords visible in plaintext, including an account associated with the platform’s administrator.
With the admin’s credentials, an attacker could have logged in and run amok. As a security researcher acting in good faith, Zveare could not use the credentials, as doing so would be unlawful. Since the API documentation listed a command to create a new user with administrator access, Zveare did just that and gained unrestricted access to the Bluvoyix platform. This access allowed viewing of customer data as far back as 2007.
Zveare found that once logged in, each API request was wrapped in a user-specific token meant to verify access. However, the token was not necessary to complete commands, further confirming the API was unauthenticated.
After establishing contact with Bluspark’s law firm, Zveare shared his vulnerability report with its representatives. Days later, the law firm said Bluspark had remediated most of the flaws and was working to retain a third-party company for an independent assessment.
Zveare’s efforts highlight a common problem in cybersecurity. Companies often do not provide a public way, such as a listed email address, to alert them about security vulnerabilities. This can make it challenging for researchers to disclose flaws publicly, out of concern that doing so could put users’ data at risk while the flaws remain active.
An attorney representing Bluspark stated the company is confident in the steps taken to mitigate potential risk from the researcher’s findings. The company would not comment on specifics of the vulnerabilities or their fixes, name any third-party assessment company, or comment on its specific security practices.
When asked, Bluspark would not say if it was able to ascertain whether any customer shipments had been manipulated by someone maliciously exploiting the bugs. The attorney said there was no indication of customer impact or malicious activity attributable to the issues identified by the researcher, but Bluspark would not say what evidence it had to reach that conclusion.
The attorney said Bluspark was planning to introduce a disclosure program to allow outside security researchers to report bugs, but that discussions were still underway. Bluspark CEO Ken O’Brien did not provide comment for this article.