Security researcher Bob Diachenko claims that he has found vulnerabilities in the National Lo gistics Portal (Marine) by using TruffleHog, an open-source security tool.
In a post on X (formerly Twitter) Diachenko said that the breach at the National Logistics Portal (Marine) has exposed sensitive personal information of crew members and trade records, due to misconfigured Amazon S3 buckets and a JavaScript file containing login credentials.
Diachenko told TechCrunch that “the exposed data included full names, nationality, date of birth, gender, passport numbers, passport issuing authority and expiration date that various crew members of vessels and ships submitted for their travel. Similarly, there were invoices, shipping orders and bills of lading among the sensitive pieces of information.”
The exposed AWS S3 keys could have allowed threat actors to get higher privileges and gain access to the National Logistics Portal infrastructure, Diachenko says. This created the possibility for ransomware attacks. Threat actors could have taken advantage of the access to the system to encrypt critical information and make it inaccessible to the waterways authorities.
As a part of its digitization initiative, the Central Government launched the National Logistics Portal (Marine) in January this year. The portal functions as a one-stop platform where all maritime stakeholders get integrated for easier and speedier services. The platform is aimed at reducing regulatory complexities and making a push for paperless trade.
Logistics such as the management of customs documents, paying fees, tracking shipments, and other port activities can be seamlessly conducted at this portal. According to Diachenko, the leak was reported to Indian authorities and the problem has now been fixed.
