US Cargo Firm Exposes Shipping Systems and Customer Data Online
▼ Summary
– Security researchers have warned the shipping industry about cyberattacks linked to cargo thefts, involving collusion between hackers and organized crime.
– Bluspark Global, a key U.S. shipping tech company, recently fixed critical vulnerabilities in its Bluvoyix platform that exposed decades of customer data.
– Researcher Eaton Zveare discovered the flaws, including plaintext passwords and an unauthenticated API, but faced significant difficulty contacting the unresponsive company.
– The vulnerabilities allowed unauthorized access to create admin accounts and view sensitive shipment data, posing a severe security risk until patched.
– Bluspark has now resolved the issues and plans to establish a disclosure program for future vulnerability reports, though it claims no evidence of malicious exploitation.
Security experts have been sounding the alarm for the past year, warning the international shipping sector to significantly bolster its digital protections. A troubling trend has emerged where sophisticated cyberattacks on logistics firms are facilitating the large-scale theft and diversion of customer goods, effectively creating a dangerous partnership between hackers and organized criminal networks. This isn’t about minor thefts; it’s a systematic threat to global supply chains.
In this context, a recent incident involving a key U.S. shipping technology provider underscores just how vulnerable these critical systems can be. Bluspark Global, a New York-based company, spent recent months repairing a series of basic security weaknesses in its Bluvoyix platform. This software is used by hundreds of major corporations, including prominent retailers, grocery chains, and furniture manufacturers, to manage and track freight shipments worldwide. For a period, these vulnerabilities left the platform’s digital doors unlocked, potentially exposing decades of sensitive customer shipment data to anyone on the internet.
The company has stated that all identified security issues are now resolved. The flaws, discovered by researcher Eaton Zveare in October, were severe. They included the use of plaintext passwords for both employees and customers and a critical flaw allowing remote, unauthenticated access to the core shipping software. This combination could have granted attackers complete visibility into a customer’s logistics operations and historical records.
Zveare’s attempt to responsibly report these problems, however, hit a major roadblock: Bluspark had no publicly available channel for security disclosures. After submitting his findings through a maritime security nonprofit and attempting contact via email, voicemail, and LinkedIn for weeks with no response, he reached out to TechCrunch. Even direct emails from the publication to Bluspark’s CEO and senior leadership went unanswered. It was only after a follow-up email that included a portion of the CEO’s own exposed password, demonstrating the lapse’s severity, that a response arrived, via the company’s legal counsel.
The path to discovery began when Zveare examined a Bluspark client’s website. He noticed a contact form that communicated through Bluspark’s application programming interface (API). By investigating further, he accessed the API’s public documentation page, which essentially provided a blueprint of all possible commands. Despite claims that authentication was required, the API demanded no credentials whatsoever. Using this open access, Zveare retrieved extensive user records, including usernames and unencrypted passwords, one belonging to a platform administrator.
Although he could have used these credentials, doing so would be illegal. Instead, he used an API command listed in the documentation to create a new user account with full administrative privileges. This granted him unrestricted entry into the Bluvoyix platform, where he could view customer data dating back to 2007. Further testing confirmed the API’s lack of proper authentication, as requests could be sent without the required user tokens.
Following contact from its legal team, Zveare provided his full vulnerability report. Bluspark’s attorneys later confirmed that most flaws had been remediated and that the company was seeking a third-party security assessment. They expressed confidence in the mitigation steps taken but declined to comment on the specifics of the vulnerabilities, the assessment firm, or the company’s security practices. When questioned, Bluspark stated there was “no indication of customer impact or malicious activity” but did not elaborate on the evidence supporting that conclusion.
The company’s attorney, Ming Lee, mentioned that Bluspark is planning to establish a formal vulnerability disclosure program to facilitate future reports from external researchers, though those discussions are ongoing. The episode highlights a persistent challenge in cybersecurity: many organizations lack clear, public avenues for reporting critical security flaws, leaving researchers in a difficult position when trying to protect user data from ongoing risks.
(Source: TechCrunch)
