Bluspark Unauthenticated API Vulnerability Exposed Sensitive Data, Including Plaintext Passwords
Published
Key Takeaways
- Critical Vulnerabilities: Bluspark Global exposed sensitive internal data via an unauthenticated API.
- Impact: The vulnerability potentially granted unauthorized access to shipment records dating back to 2007.
- What Was Exposed: The API allowed unrestricted access to user account records, including usernames and passwords stored in plaintext.
Bluspark Global, a New York-based firm that provides the Bluvoyix shipping platform, left its systems vulnerable through an unauthenticated API. The company is a part of worldwide freight shipments, including retail giants, grocery stores, and furniture makers, and its software is also used by several other affiliates.
Unauthenticated API Flaw Exposes Sensitive Data
Security researcher Eaton Zveare discovered that the API allowed unrestricted access to user account records, including usernames and plaintext passwords, without requiring authentication – including for admin accounts.
This vulnerability enabled attackers to create administrator accounts, granting them full visibility into the company's supply chain data and customer shipment logs spanning nearly two decades.
Now-solved critical vulnerabilities were uncovered that enabled full platform takeover and access to all customer data/shipments:
- CVE-2026-22236: APIs did not check for a valid authorization token. As a result, all APIs were unauthenticated.
- CVE-2026-22237: Exposed API documentation. Coupled with #1, this made it easy to cause real damage.
- CVE-2026-22238: You could create your own admin account through an HTTP POST to the users API.
- CVE-2026-22239: Email-sending code was found in client-side JS, allowing the sending of official-looking phishing/malicious emails.
- CVE-2026-22240: Plaintext passwords. There were three APIs that could be used to retrieve plaintext passwords for all accounts, including admin accounts.
Implications for Shipping Industry Cybersecurity
After identifying the five distinct flaws in October, Zveare said they attempted to notify Bluspark through multiple channels, including the Maritime Hacking Village, but received no response. Remediation was initiated only after TechCrunch intervened, demonstrating the severity of the lapse by sending a partial password for the company's CEO.Â
Bluspark’s legal representatives have since confirmed that the identified vulnerabilities, including plaintext password use and API flaws, have been resolved. The company stated there is currently no indication of malicious exploitation of these flaws and plans to implement a vulnerability disclosure program to prevent future communication failures.
This incident occurred at a critical juncture for shipping industry cybersecurity, as the logistics sector is increasingly targeted by hackers. A report this week unveiled that a port employee accepted a bribe to manipulate cargo in order to smuggle drugs.Â
In November, a Mixpanel data breach exposed a limited set of OpenAI API user analytics data. Other recent worrying vulnerabilities that expose sensitive data include IoT device flaws in Petlibro smart pet feeders.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular