India’s state-run logistics portal has fixed configuration errors and vulnerabilities that exposed sensitive personal data and various state and private business records.
He called the National Logistics-Marine Portal, the website made sensitive and private data public due to misconfigured Amazon S3 buckets. It also carried a JavaScript file that included login credentials in the web source code.
security researcher Bob Diachenko found the problems with the Indian portal through the open source security tool TruffleHog. Diachenko told TechCrunch that the exposed data included full names, nationality, date of birth, gender, passport numbers, passport-issuing authority, and expiration date that various boat and ship crew members submitted for their trip. Likewise, there were invoices, shipping orders and bills of lading, among sensitive data.
“The reasons (for the exposure) are multiple in this case, and all lead to various configuration errors, from storing hard-coded credentials in a JavaScript file to public S3 buckets,” he told TechCrunch.
On September 25, Diachenko aware A screenshot on X, formerly known as Twitter, showing one of the exposed files with sensitive information redacted. He was later contacted by the Computer Emergency Response Team of India (CERT-In) and the AWS security team to better understand the incident. TechCrunch also separately informed CERT-In about the matter shortly after receiving the details from the researcher. The nodal agency acknowledged receipt of our communication on Tuesday and confirmed the solution on Friday.
“With regard to the follow-up email, the organization in question has confirmed that the vulnerability is mitigated,” CERT-In said in confirming the fix.
The Ministry of Ports, Navigation and Waterways and the company responsible for the portal. Portala subsidiary of Indian business conglomerate JM Baxi, did not respond to multiple requests for comment before publication.
Ministry of Ports, Navigation and Navigable Waterways thrown out the National Logistics-Marine Portal in January. The project aims to function as a “one-stop shop” for all logistics business processes and covers modes of transport on waterways, roads and airways. It also includes an online marketplace to access end-to-end logistics services.
The data exposure incident comes just over a month after India, the second-largest internet market after China, received its anticipated privacy law, the Digital Personal Data Protection Act, 2023. The law outlines guidelines for the use of personal data by private companies, but exempts the Indian government from legal obligations.
