US cargo tech firm exposed shipping systems and customer data online

TL;DR

New York-based Bluspark Global left parts of its Bluvoyix shipping platform publicly accessible, exposing plaintext passwords and decades of customer shipment records. A security researcher found unauthenticated API endpoints and reported the flaws after difficulty contacting the company; Bluspark says it has remediated the issues and is pursuing an independent assessment.

What happened

Security researcher Eaton Zveare discovered in October that elements of Bluspark Global’s systems were publicly reachable after inspecting a customer website that used the company’s Bluvoyix API to send contact-form messages. The API’s auto-generated documentation was accessible from the web and included a built-in tester that, despite claiming authentication was required, returned sensitive data without credentials. Zveare says he retrieved user account records, including usernames and passwords stored in plaintext, and found commands that allowed creation of new administrator accounts. Using those commands he created an admin user and accessed the Bluvoyix portal, which exposed customer shipment records dating back to 2007. Zveare initially sought to notify Bluspark through the Maritime Hacking Village and then contacted the company directly but received no response; TechCrunch intervened and after several messages Bluspark’s law firm engaged. Bluspark told TechCrunch the company fixed five flaws and is arranging an external review, while saying there is no indication of customer impact.

Why it matters

• Unauthenticated APIs and plaintext credentials make it straightforward for attackers to obtain admin access and customer data.
• The exposed platform supports many shippers and retailers, increasing the potential downstream impact if data were abused.
• Shipping and logistics are already targeted by organized criminals; vulnerabilities like these can enable cargo theft or redirection.
• Lack of clear vulnerability disclosure channels can delay remediation and leave sensitive systems exposed for longer.

Key facts

• Company: Bluspark Global, based in New York; platform named Bluvoyix.
• Researcher: Eaton Zveare discovered the issues in October and worked with the Maritime Hacking Village to report them.
• Flaws: Five vulnerabilities were identified and later fixed, including plaintext-stored passwords and an unauthenticated API.
• Data exposed: User account records (usernames and plaintext passwords) and customer shipment records reportedly dating back to 2007.
• API behavior: Auto-generated documentation and a test interface were publicly reachable and allowed unauthenticated commands, including creating admin accounts.
• Notification timeline: Initial outreach to Bluspark went unanswered; TechCrunch’s repeated alerts prompted a law firm response.
• Company response: Bluspark said issues are remediated and that it is seeking a third-party assessment; it declined to share details of fixes or the assessor.
• Customer impact: Bluspark said there is "no indication of customer impact or malicious activity attributable to the issues," but would not provide supporting details.

What to watch next

• Whether Bluspark completes and publishes results from the planned third-party security assessment; details and findings were not confirmed in the source.
• If Bluspark implements the promised vulnerability disclosure program and how external researchers will be able to report bugs.
• Any later confirmation from Bluspark or its customers about whether shipment records were accessed or manipulated; the source says this is not confirmed in the source.

Quick glossary

• API (Application Programming Interface): A set of rules and endpoints that allows software systems to communicate and exchange data over the internet.
• Plaintext password: A password stored or transmitted without encryption or hashing, readable as-is by anyone who can access it.
• Authentication token: A piece of data issued after login that a system uses to verify a user’s identity for subsequent requests.
• Vulnerability disclosure program: A formal process through which an organization accepts, coordinates, and responds to security reports from external researchers.

Reader FAQ

Who found the security flaws?
Researcher Eaton Zveare discovered the issues and worked with the Maritime Hacking Village to report them.

Did Bluspark fix the problems?
Bluspark told TechCrunch it has remediated the identified flaws and is pursuing an external assessment.

Were customer shipments redirected or stolen because of this exposure?
Bluspark said there is no indication of customer impact, but the company did not provide evidence; the source notes this is not confirmed in the source.

Did Bluspark respond promptly to the researcher?
Initial attempts to contact Bluspark went unanswered; TechCrunch’s repeated outreach ultimately prompted a law firm to respond.

For the past year, security researchers have been urging the global shipping industry to shore up their cyber defenses after a spate of cargo thefts were linked to hackers. The…

Sources

• US cargo tech company publicly exposed its shipping systems and customer data to the web
• Hackers, Freight Marketplaces, and the New Wave of U.S. …
• Hackers Help Organized Crime Groups in Cargo Freight …
• $200K cargo theft exposes growing fraud schemes in …

Related posts

• Never-before-seen Linux malware appears far more advanced than typical
• FBI Raids Washington Post Reporter’s Virginia Home in Unusual Move
• Denmark deploys advance military units and materiel to Greenland amid Arctic tensions