Over the past year, security researchers have been urging the global shipping industry to strengthen its cyber defenses after a spate of cargo thefts by hackers. Researchers say they witnessed an elaborate hack that targeted a logistics company to hijack a large number of customers' products and redirect them into the hands of criminals, marking an alarming collusion between hackers and real-life organized crime groups.
There's a stolen e-cig delivery truck here, and there's a suspected lobster robbery.
One of the lesser-known but important US maritime technology companies has spent the past few months patching its systems after a number of simple vulnerabilities were discovered. The vulnerability inadvertently left the door to its shipping platform wide open to anyone on the internet.
The company is New York-based Bluspark Global, whose shipping and supply chain platform Bluvoyix enables hundreds of large companies to transport products and track shipments as they move around the world. Bluspark may not be a household name, but the company powers a large portion of freight transportation around the world, including retail giants, grocery stores, furniture manufacturers, and more. The company's software is also used by several other companies that partner with Bluspark.
Bluspark told TechCrunch this week that the security issue has now been resolved. The company fixed five flaws in its platform, including the use of cleartext passwords by employees and customers and the ability to remotely access and manipulate Bluvoyix's shipping software. The flaw exposed access to all customer data, including shipping records dating back decades.
But for Eaton Zveare, the security researcher who discovered the vulnerability in Bluspark's systems in October, alerting the company to the security flaw took longer than discovering the bug itself because Bluspark had no identifying means to contact him.
In a now-published blog post, Zveare said he submitted details of five flaws in Bluspark's platform to the Maritime Hacking Village. Maritime Hacking Village is a nonprofit organization that works to secure maritime space and helps researchers notify companies in the maritime industry of active security flaws, as in this case.
Weeks later, and after multiple emails, voicemails, and LinkedIn messages, the company had not responded to Zveare. In the meantime, anyone on the Internet could exploit this flaw.
As a last resort, Zveare contacted TechCrunch and tried to get them to flag the issue.
TechCrunch sent an email to Bluspark CEO Ken O'Brien and senior executives at the company alerting them to the security flaw, but did not receive a response. TechCrunch subsequently sent an email to customers of Bluspark, a publicly traded US retailer, warning them of the upstream security issue, but also received no response.
When TechCrunch sent a third email to Bluspark's CEO, it included a partial copy of his password to demonstrate the severity of the security flaw.
A few hours later, TechCrunch received a response from the law firm representing Bluspark.
Plaintext passwords and unauthenticated APIs
Zveare explained in a blog post that he discovered the vulnerability after first visiting a Bluspark customer's website.
Zubair wrote that the client's website had a contact form where prospective customers could inquire. By viewing the web page's source code in the browser's built-in tools, Zveare realized that the form sent the customer's message through Bluspark's servers via an API. (APIs allow two or more connected systems to communicate with each other over the Internet; in this case, your website's contact form and your Bluspark customer's inbox.)
Because the email sending code was embedded in the web page itself, anyone could modify the code and exploit this form to send malicious emails, including phishing scams originating from real Bluspark customers.
Zveare pasted the API's web address into his browser, which loaded a page containing automatically generated documentation for the API. This web page was a master list of all the actions that could be performed with the company's API, such as requesting a list of users with access to Bluspark's platform and creating new user accounts.
The API documentation page also included a feature that allowed anyone to “test” the API by submitting commands to retrieve data from Bluspark's servers as a logged-in user.
Zveare discovered that the API does not require passwords or credentials to return sensitive information from Bluspark's servers, despite the page claiming that authentication is required to use it.
Using only a list of API commands, Zveare was able to retrieve a large number of user account records for employees and customers using Bluspark's platform in a completely unauthenticated manner. This included usernames and passwords displayed unencrypted and in clear text, including accounts associated with the platform's administrators.
Once an attacker has obtained the administrator's username and password, they could log into this account and run rampant. Zveare, a bona fide security researcher, could not use the credentials because it is illegal to use someone else's password without permission.
The API documentation included a command that would allow anyone to create a new user with administrator access, so Zveare did just that and gained unrestricted access to the Bluvoyix supply chain platform. Zveare said the administrator access level allowed him to view customer data dating back to 2007.
Zveare discovered that when he logged in with this newly created user, each API request was wrapped with a user-specific token. This was to ensure that each time a user clicked a link they were actually granted access to the portal page. However, since no token was required to complete the command, Zveare was able to send the request without using a token at all, further confirming that the API was not authenticated.
Bugs fixed and company planning new security policies
After establishing contact with Bluspark's law firm, Zveare gave TechCrunch permission to share a copy of his vulnerability report with its representatives.
Days later, the law firm announced that Bluspark was working to repair most of the deficiencies and hire a third-party firm for an independent evaluation.
Zveare's efforts to expose the bug highlight a common problem in the world of cybersecurity. Companies often do not provide a way to alert you to security vulnerabilities, such as making your email address public. This can make it difficult for security researchers to publicly reveal active security flaws, due to concerns that revealing the details could put users' data at risk.
Ming Lee, a lawyer representing Bluspark, told TechCrunch on Tuesday that the company is “confident in the steps taken to mitigate the potential risks arising from the researchers' findings” but did not comment on the details of the vulnerability or its fix. If so, identify which third-party evaluation company was used. Or comment on its specific security practices.
In response to TechCrunch's questions, Bluspark declined to say whether it was able to confirm whether shipments to customers had been maliciously exploited by someone with the bug. Lee said there is “no indication of customer impact or malicious activity resulting from the issues identified by our researchers.” Bruce Spark declined to say what evidence was needed to reach that conclusion.
Lee said Bluspark is planning to introduce a disclosure program that would allow outside security researchers to report bugs and flaws to the company, but those discussions are still ongoing.
Bluspark CEO Ken O'Brien did not comment for this article.
To contact this reporter securely, use Signal using username zackwhittaker.1337.