India’s state-owned logistics portal has fixed misconfigurations and vulnerabilities that exposed sensitive personal data and various state and private trade records.
Called the National Logistics Portal-Marine, the website made the sensitive and private data public due to misconfigured Amazon S3 buckets. It also carried a JavaScript file that included login credentials into the web source code.
Security researcher Bob Diachenko found the issues with the Indian portal through the open-source security tool TruffleHog. Diachenko told TC that the exposed data included full names, nationality, date of birth, gender, passport numbers, passport issuing authority and expiration date that various crew members of vessels and ships submitted for their travel. Similarly, there were invoices, shipping orders and bills of loading, among sensitive pieces of information.
“The reasons [for the exposure] are multiple in this case — all leading to various misconfiguration, starting from storing hardcoded credentials in a JavaScript file and to the public S3 buckets,” he told TC.
On September 25, Diachenko posted a screenshot on X, formerly known as Twitter, showing one of the exposed files with redacted sensitive information. Subsequently, he was contacted by the Indian Computer Emergency Response Team (CERT-In) and AWS’s security team to understand the incident better. TC also separately informed CERT-In about the matter shortly after getting the details from the researcher. The nodal agency acknowledged the receipt of our communication on Tuesday and confirmed the fix on Friday.
“With respect to the trailing email, the concerned organization has confirmed that the vulnerability is mitigated,” CERT-In said while confirming the fix.
The ports, shipping and waterways ministry and the firm responsible for the portal Portall, a subsidiary of India’s business conglomerate JM Baxi, did not respond to multiple requests for comment prior to publication.
The ports, shipping and waterways ministry launched the National Logistics Portal-Marine in January. The project aims to work as a “single window” for all logistics trade processes and covers transportation modes in the waterways, roadways and airways. It also includes an online marketplace to access end-to-end logistic services.
The data exposure incident comes just over a month after India, the second-largest Internet market after China, received its anticipated privacy law, the Digital Personal Data Protection Act, 2023. The law outlines guidelines for private companies’ use of personal data, but exempts the Indian government from legal obligations.