The US shipping technology company has publicly exposed its shipping systems and customer data online

Over the past year, security researchers have urged the global shipping industry to shore up their cyber defenses after a series of cargo thefts that were linked to hackers. Researchers say they have seen elaborate hacks targeting logistics companies to hijack and redirect large quantities of their customers’ products into the hands of criminals, in what has become a worrying collusion between hackers and real-life organized crime gangs.

An e-cigarette delivery truck is stolen here, and a lobster is suspected of being stolen there.

A little-known and critical US shipping technology company has spent the last few months patching its own systems after a discovery A slew of minor vulnerabilities that inadvertently left the doors to its shipping platform wide open to anyone on the Internet.

The company is Bluspark Global, a New York-based company whose shipping and supply chain platform, Bluvoyix, allows hundreds of major companies to transport their products and track their cargo as they travel around the world. Although Bluspark may not be a household name, the company helps power a wide swath of global freight shipments, including retail giants, grocery stores, furniture makers, and more. The company’s software is also used by several other Bluspark subsidiaries.

Bluspark told TechCrunch this week that its security issues have now been resolved. The company fixed five flaws in its platform, including the use of plain text passwords by employees and customers, and the ability to access and interact with Bluvoyix’s shipping software remotely. The flaws revealed access to all customer data, including their shipping records, dating back decades.

But for security researcher Eaton Zephyr, who discovered vulnerabilities in Bluspark’s systems in October, alerting the company to security flaws took longer than discovering the bugs themselves — since Bluspark had no clear way to contact them.

In a now-published blog post, Zveare said he has provided details of the five flaws in the Bluspark platform to Maritime Hacking Village, a non-profit organization that works to secure the maritime space and, as in this case, helps researchers notify companies in the maritime industry of active security flaws.

Weeks later, after numerous emails, voicemails and LinkedIn messages, the company has not responded to Zveare. At the same time, the flaws can still be exploited by anyone on the Internet.

As a last resort, Zveare has contacted TechCrunch in an attempt to flag the issues.

TechCrunch sent emails to Bluspark CEO Ken O’Brien and the company’s senior leadership alerting them to the vulnerability, but received no response. TechCrunch later emailed a customer of Bluspark, a publicly traded US retailer, alerting them of the vulnerability upstream, but we did not receive a response either.

The third time TechCrunch emailed Bluspark’s CEO, we included a partial copy of his password to demonstrate the severity of the vulnerability.

A few hours later, TechCrunch received a response – from a law firm representing Bluspark.

Plain text and API passwords are not authenticated

In his blog post, Zveare explained that he initially discovered the vulnerabilities after visiting the website of a Bluspark customer.

The client’s website contains a contact form that allows potential customers to make inquiries, Zveare wrote. By viewing the source code of the web page using the tools built into his browser, Zveare observed that the form would send the client’s message through Bluspark’s servers via its API. (An API allows two or more connected systems to communicate with each other over the Internet; in this case, the website contact form and the Bluspark customer’s inbox.)

Since the email sending code was embedded in the web page itself, this meant it was possible for someone to modify the code and abuse this form to send malicious emails, such as phishing lures, originating from a real Bluspark client.

Zveare pasted the API’s web address into his browser, which loaded a page containing automatically generated API documentation. This web page was a master list of all actions that could be performed using the company’s API, such as requesting a list of users with access to Bluspark platforms, as well as creating new user accounts.

The API documentation page also has a feature that allows anyone the ability to “test” the API by sending commands to retrieve data from Bluspark’s servers as a logged in user.

Zveare found that the API, although the page claimed it required authentication to use, did not need a password or any credentials to return sensitive information from Bluspark’s servers.

Using just a list of API commands, Zveare was able to retrieve a large set of user account records for employees and customers using the Bluspark platform, without completely authenticating them. This included usernames and passwords, which were visible in plain text and unencrypted, including the account associated with the platform administrator.

With the administrator’s username and password in hand, an attacker could have logged into that account and caused chaos. As a bona fide security researcher, Zveare could not use the credentials, because using someone else’s password without their permission is illegal.

Since the API documentation listed a command that would allow anyone to create a new user with admin access, Zveare went ahead and did just that, gaining unrestricted access to its Bluvoyix supply chain platform. The administrator access level has allowed customer data to be viewed since 2007, Zveare said.

Zveare discovered that once logged in with this newly created user, each API request was wrapped with a user-specific token, which was intended to ensure the user was actually allowed access to the portal page every time they clicked on a link. But the token was not necessary to complete the command, allowing Zveare to send requests without the token entirely, further confirming that the API was not authenticated.

The bugs have been fixed, and the company is planning a new security policy

After making contact with law firm Bluspark, Zveare gave TechCrunch permission to share a copy of its vulnerability report with his representatives.

Days later, the law firm said Bluspark had addressed most of the defects and was working on hiring an outside firm to conduct an independent evaluation.

Zveare’s efforts to uncover the bug highlight a common problem in the world of cybersecurity. Often, companies don’t provide a way, such as a publicly listed email address, to be alerted about vulnerabilities. As such, this may make it difficult for security researchers to publicly disclose security flaws that are still active, due to concerns that revealing details could put users’ data at risk.

Ming Li, an attorney representing Bluspark, told TechCrunch on Tuesday that the company is “confident in the steps taken to mitigate potential risks arising from the researcher’s findings,” but would not comment on details of the vulnerabilities or their fixes; Identify the third-party appraisal company contracted, if any; Or comment on its specific security practices.

When asked by TechCrunch, Bluspark did not say whether it was able to confirm whether any of its customers’ shipments had been tampered with by someone maliciously exploiting the bugs. “There is no indication of customer influence or malicious activity attributable to the issues identified by the researcher,” Lee said. Bluspark did not say what evidence it had to reach this conclusion.

Bluspark was planning to introduce a disclosure program that would allow outside security researchers to report bugs and flaws to the company, but its discussions are still ongoing, Lee said.

Bluspark CEO Ken O’Brien did not provide a comment for this article.

To communicate securely with this reporter, you can contact him using the Signal app via the username: zackwhittaker.1337