Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Over the past year, security researchers have urged the global shipping industry to shore up their cyber defenses after a series of cargo thefts that were linked to hackers. Researchers say they have seen elaborate hacks targeting logistics companies to hijack and redirect large quantities of their customers’ products into the hands of criminals, in what has become a worrying collusion between hackers and real-life organized crime gangs.
A Stolen vapor delivery truck Here, A Suspected lobster theft there.
A little-known but critical US shipping technology company has spent the last few months patching its own systems after discovering a slew of minor vulnerabilities that inadvertently left the doors of its charging platform wide open to anyone on the internet.
The company is Bluspark Global, a New York-based company whose shipping and supply chain platform, Bluvoyix, allows hundreds of major companies to transport their products and track their cargo as they travel around the world. Although Bluspark may not be a household name, the company helps power a wide swath of global freight shipments, including retail giants, grocery stores, furniture makers, and more. The company’s software is also used by several other Bluspark subsidiaries.
Bluspark told TechCrunch this week that its security issues have now been resolved. The company fixed five flaws in its platform, including the use of plain text passwords by employees and customers, and the ability to access and interact with Bluvoyix’s shipping software remotely. The flaws revealed access to all customer data, including their shipping records, dating back decades.
But for security researcher Eaton Zephyr, who discovered vulnerabilities in Bluspark’s systems in October, alerting the company to security flaws took longer than discovering the bugs themselves — since Bluspark had no clear way to contact them.
Posted now Blog postZveare said he had provided details of the five flaws in the Bluspark platform to Marine pirate villagea non-profit organization that works to secure the maritime space and, as in this case, helps researchers notify companies in the maritime industry of active security flaws.
Weeks later, after several emails, voicemails and LinkedIn messages, the company has not responded to Zveare. At the same time, the flaws can still be exploited by anyone on the Internet.
As a last resort, Zveare has contacted TechCrunch in an attempt to flag the issues.
TechCrunch sent emails to Bluspark CEO Ken O’Brien and the company’s senior leadership alerting them to the vulnerability, but received no response. TechCrunch later emailed a customer of Bluspark, a publicly traded US retailer, alerting them of the vulnerability upstream, but we did not receive a response either.
The third time TechCrunch emailed Bluspark’s CEO, we included a partial copy of his password to demonstrate the severity of the vulnerability.
A few hours later, TechCrunch received a response – from a law firm representing Bluspark.
Plain text and API passwords are not authenticated
In his blog post, Zveare explained that he initially discovered the vulnerabilities after visiting the website of a Bluspark customer.
The client’s website contains a contact form that allows potential customers to make inquiries, Zveare wrote. By viewing the source code of the web page using the tools built into his browser, Zveare observed that the form would send the client’s message through Bluspark’s servers via its API. (An API allows two or more connected systems to communicate with each other over the Internet; in this case, the website contact form and the Bluspark customer’s inbox.)
Since the code to send the email was embedded in the web page itself, this meant that it was possible for anyone to modify the code and misuse this form Sending malicious emailssuch as phishing lures, originating from a real Bluspark customer.
Zveare pasted the API’s web address into his browser, which loaded a page containing automatically generated API documentation. This web page was a Main menu For all actions that can be performed using the Company’s Application Programming Interface (API), such as requesting a list of users who have access to the Bluspark Platforms, as well as creating new user accounts.
The API documentation page also has a feature that allows anyone the ability to “test” the API by sending commands to retrieve data from Bluspark’s servers as a logged in user.
Zveare found that the API, despite the page claiming that it requires authentication to use, You don’t need a password Or any credentials to return sensitive information from Bluspark servers.
Using just a list of API commands, Zveare was able to retrieve a large set of user account records for employees and customers using the Bluspark platform, without completely authenticating them. This included usernames and passwords, which were Visible in plain text And unencrypted – including the account associated with the platform administrator.
With the administrator’s username and password in hand, an attacker could have logged into that account and caused chaos. As a bona fide security researcher, Zveare could not use the credentials, because using someone else’s password without their permission is illegal.
Since the API documentation listed a command that allows anyone to do this Create a new user With administrator access, Zveare went ahead and did just that, gaining unrestricted access to its Bluvoyix supply chain platform. The administrator access level has allowed customer data to be viewed since 2007, Zveare said.
Zveare discovered that once logged in with this newly created user, each API request was wrapped with a user-specific token, which was intended to ensure the user was actually allowed access to the portal page every time they clicked on a link. But the token was not necessary to complete the command, allowing Zveare to send requests without the token entirely, further confirming that the API was not authenticated.
The bugs have been fixed, and the company is planning a new security policy
After making contact with law firm Bluspark, Zveare gave TechCrunch permission to share a copy of its vulnerability report with his representatives.
Days later, the law firm said Bluspark had addressed most of the defects and was working on hiring an outside firm to conduct an independent evaluation.
Zveare’s efforts to uncover the bug highlight a common problem in the world of cybersecurity. Often, companies don’t provide a way, such as a publicly listed email address, to be alerted about vulnerabilities. As such, this may make it difficult for security researchers to publicly disclose security flaws that are still active, due to concerns that revealing details could put users’ data at risk.
Ming Li, an attorney representing Bluspark, told TechCrunch on Tuesday that the company is “confident in the steps taken to mitigate potential risks arising from the researcher’s findings,” but would not comment on details of the vulnerabilities or their fixes; Identify the third-party appraisal company contracted, if any; Or comment on its specific security practices.
When asked by TechCrunch, Bluspark did not say whether it was able to confirm whether any of its customers’ shipments had been tampered with by someone maliciously exploiting the bugs. “There is no indication of customer influence or malicious activity attributable to the issues identified by the researcher,” Lee said. Bluspark did not say what evidence it had to reach this conclusion.
Bluspark was planning to introduce a disclosure program that would allow outside security researchers to report bugs and flaws to the company, but its discussions are still ongoing, Lee said.
Bluspark CEO Ken O’Brien did not provide a comment for this article.
To communicate securely with this reporter, you can contact him using the Signal app via the username: zackwhittaker.1337