**I'm The Captain Now: Hijacking a Global Ocean Supply Chain Network**

Imagine being able to control the flow of goods across the world's oceans, influencing the delivery of everything from fresh produce to critical medical supplies. This may sound like a fictional tale of espionage and international intrigue, but what if I told you that it's possible – albeit not necessarily with nefarious intent? In reality, such power lies within the hands of organizations like BLUVOYIX or Bluspark Global, whose work behind the scenes can have far-reaching consequences.

BLUVOYIX is a Software as a Service (SaaS) platform that powers cargo and ocean shipping/logistics industry. According to their website, it's "a cloud-based solution that helps shippers manage their supply chain data in a frictionless, neutral environment supported by a best-in-class tech stack." But what does this mean, exactly? Essentially, the platform serves as an intermediary between hundreds of companies, facilitating communication and management of global supply chains. Approximately 500 organizations use BLUVOYIX to oversee their logistics operations.

Now, you might wonder how something like this can happen without anyone noticing. Well, it's not that no one is paying attention; rather, these vulnerabilities were hiding in plain sight – or, more accurately, within the depths of poorly secured APIs and plaintext passwords. My investigation began with a curiosity-driven search for shipping associations and login/registration panels, which led me to a BLUVOYIX customer's joining page.

The website was built using React JS, my personal favorite framework (no bias intended). Upon further exploration, I discovered the API root – an entry point that often yields valuable documentation. After navigating the API endpoint and removing some extraneous information, I stumbled upon a juicy API called "getUserList." What followed was a cascade of discoveries.

Here's what happened next: with just a few tweaks to the API call, I gained access to the entire user list – without even authenticating. To make matters worse, plaintext passwords were visible, including those for administrative accounts. In short order, I had compromised the system.

But that was just the beginning. Using the create user API, I created my own administrator account and promptly received an email with a plaintext password. From there, it was merely a matter of logging in via the "NVO" portal, which led me to another set of APIs. As it turned out, these also had their share of vulnerabilities.

One login function stood out: when attempting to log in using a username and password, it would return a JSON Web Token (JWT). Not surprisingly, this token was required for API calls – or so one might assume. Upon further inspection, I discovered that the JWT was entirely unnecessary; removing it didn't prevent API calls from proceeding as usual.

As it turns out, my findings weren't limited to just one customer. I found a login page used after registration approval and identified several APIs that shared similar issues – including public documentation with exposed sensitive information. Specifically, the "getUser" API allowed access to passwords for valid users, regardless of role.

At this point, I had gained access to multiple systems, including those from other prominent shipping associations using the BLUVOYIX platform. It was clear that these vulnerabilities were far-reaching and impactful – affecting not just individual companies but also their customers and partners across the globe.

After submitting my findings to the Maritime Hacking Village VDP (Vulnerability Disclosure Program), I received a prompt response, which led to a productive collaboration with Bluspark Global. Although initial communication attempts were met with silence, involving a journalist helped facilitate contact with Bluspark. The company's subsequent responsiveness and swift resolution of reported vulnerabilities demonstrate their commitment to security.

So what can be learned from this experience? Firstly, the importance of vulnerability disclosure cannot be overstated; had I not shared my findings, these issues might have gone unaddressed for an extended period. Secondly, it serves as a reminder that seemingly innocuous companies like BLUVOYIX play critical roles in global supply chains – and their security should not be taken lightly.