Security scars in India’s National Logistics Portal-Marine exposes sensitive data

India’s state-owned National Logistics Portal-Marine has successfully resolved security issues that had left sensitive personal information and trade records vulnerable to unauthorized access.

The website inadvertently exposed confidential data due to misconfigured Amazon S3 buckets and included a JavaScript file containing login credentials within its source code. Security researcher Bob Diachenko discovered these issues using the open-source security tool TruffleHog. The exposed data encompassed personal details such as full names, nationality, date of birth, gender, passport numbers, passport issuing authorities, and expiration dates submitted by crew members of various vessels and ships. Additionally, sensitive information like invoices, shipping orders, and bills of lading was also accessible.

Diachenko explained that multiple factors contributed to the exposure, ranging from storing hardcoded credentials in a JavaScript file to making data accessible through public S3 buckets.

On September 25, Diachenko shared a screenshot on X (formerly Twitter) that displayed one of the exposed files with redacted sensitive information. Subsequently, he was contacted by the Indian Computer Emergency Response Team (CERT-In) and AWS’s security team to gain a better understanding of the incident. TechCrunch also notified CERT-In about the situation upon receiving details from the researcher. CERT-In acknowledged the receipt of the communication and confirmed the fix on Friday.

CERT-In stated, “With respect to the trailing email, the concerned organization has confirmed that the vulnerability is mitigated.”

Both the ports, shipping, and waterways ministry and the company responsible for the portal, Portall (a subsidiary of India’s business conglomerate JM Baxi), did not respond to multiple requests for comments before the publication of this news.

The National Logistics Portal-Marine was launched by the ports, shipping, and waterways ministry in January this year to serve as a ‘single window’ for all logistics trade processes, covering transportation modes in waterways, roadways, and airways. It also features an online marketplace for end-to-end logistics services.

This data exposure incident comes shortly after India enacted the Digital Personal Data Protection Act, 2023, a privacy law that outlines guidelines for private companies’ use of personal data. Notably, the Indian government is exempt from certain legal obligations under this law.

Leave a Reply

Your email address will not be published. Required fields are marked *