Dimly lit warehouse interior shows servers with cargo containers while golden light filters through doors with laptop display
Posted inBusiness News Tech News

Shipping Giant Left Passwords Exposed Online

No CommentsPosted inBusiness News, Tech News

At a Glance

  • Bluspark Global fixed five critical flaws in its Bluvoyix shipping platform after a researcher found plaintext passwords and an unauthenticated API
  • The bugs exposed decades of shipment records for hundreds of major retail, grocery, and furniture clients
  • It took weeks of voicemails, LinkedIn messages, and legal pressure before the company acted
  • Why it matters: Global cargo thefts already linked to hackers show supply-chain software has become a high-stakes target for organized crime

A little-known but widely used U.S. shipping-tech firm, Bluspark Global, has spent recent months patching gaping security holes that left customer passwords, shipment data, and administrative controls open to anyone on the internet.

The New York-based company runs Bluvoyix, a cloud platform that hundreds of big-name companies rely on to move and track freight worldwide. Although Bluspark is not a consumer brand, its code underpins supply chains for retail giants, grocery chains, and furniture makers.

Security researcher Eaton Zveare uncovered the weaknesses in October and found that the flaws were trivial to exploit. The most serious problems:

  • Plaintext passwords for staff and customers were reachable through an unauthenticated API
  • Anyone could create an administrator account without logging in
  • An email-sending function embedded in client websites could be hijacked to phish from legitimate corporate domains
  • No authentication checks were enforced on many API calls, so stolen or forged tokens were unnecessary

Zveare’s investigation began after he inspected the contact form on a Bluspark customer’s site. The form’s source code revealed a direct link to Bluspark’s API. Pasting that address into a browser pulled up auto-generated documentation listing every command the interface accepted.

The page advertised that authentication was required, yet the API freely returned data when queried. With a few requests Zveare downloaded user account records going back to 2007, including usernames and unencrypted passwords. One set of credentials belonged to a platform administrator.

Rather than log in with the admin’s password, Zveare followed another documented instruction: create a new user with top-level privileges. The system complied instantly. Inside the administrative portal he could browse shipment histories for every customer, spanning more than fifteen years.

After collecting proof, Zveare tried to warn Bluspark. The company publishes no security contact address, so he submitted findings through the nonprofit Maritime Hacking Village, which mediates vulnerability reports for maritime firms. When that failed to draw a response, he sent emails, left voicemails, and reached out via LinkedIn. Weeks passed with no reply, leaving the flaws exposed.

Eventually Zveare approached News Of Philadelphia. Reporters emailed CEO Ken O’Brien and senior executives, but messages were ignored. A message to a major U.S. retail client also went unanswered. Only after the journalists sent the CEO a partial copy of his own plaintext password did the company react-through an external law firm.

Legal representatives confirmed receipt of the report and, days later, stated that most vulnerabilities were patched and that Bluspark would bring in a third-party firm for an independent assessment. The company declined to name the assessor, specify which issues were fixed, or provide logs showing whether threat actors had abused the bugs.

Attorney Ming Lee, speaking for Bluspark, said the firm is “confident in the steps taken to mitigate potential risk,” but would not detail its security practices. When asked whether any shipments had been maliciously rerouted, Lee replied there was “no indication of customer impact,” yet offered no supporting evidence.

Lee added that Bluspark is considering a formal bug-bounty or disclosure program, though discussions remain preliminary. CEO O’Brien provided no direct comment.

The incident highlights a widening problem: as criminals pair cyber intrusions with physical cargo theft, supply-chain software becomes an attractive target. Researchers have warned for a year that logistics firms are under sustained attack aimed at hijacking freight. Simple lapses-like storing passwords in plaintext or skipping API authentication-can let thieves divert trucks full of goods.

Until every vendor makes reporting flaws straightforward, researchers say, silent vulnerabilities will persist, leaving shipments and customer data at risk.

Key Takeaways

Zveare stands frustrated before computer screen showing exposed shipping data with laptop and scattered emails from Bluspark
  • Bluspark’s fixes closed five documented holes, but the timeline from discovery to remediation stretched over months
  • Researchers still lack clear channels to notify many maritime and logistics companies, delaying critical patches
  • With organized crime already exploiting cyber-weaknesses to steal cargo, even low-profile tech suppliers can impact global supply chains

Author

  • I’m Daniel J. Whitman, a weather and environmental journalist based in Philadelphia. I

    Daniel J. Whitman is a city government reporter for News of Philadelphia, covering budgets, council legislation, and the everyday impacts of policy decisions. A Temple journalism grad, he’s known for data-driven investigations that turn spreadsheets into accountability reporting.
Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *