Cybersecurity neglect put Indian seaports in jeopardy

The National Logistics Portal (NLP), a recently launched platform for managing India's port operations, inadvertently granted public access to sensitive data, heightening the potential risk of takeover by malicious actors.

Launched in January this year, The National Logistics Portal (NLP), is a one-stop platform to manage logistics at India’s ports, such as the management of customs documents, paying fees, tracking shipments, and other port activities.

Exclusive research reported by Cybernews showed that the NLP platform was exposing sensitive credentials, secrets, and encryption keys via publicly available JS files. Alarmingly, the exposed AWS S3 keys allowed anyone to get higher privileges and gain access to all of the NLP infrastructure.

This presents a serious risk of ransomware attacks, as malicious actors could have exploited their access to the system to encrypt vital data, making it inaccessible to the waterways authorities.

Platform developers also left a number of Amazon Web Services (AWS) S3 buckets publicly accessible to anyone. The storage buckets contained the personal data of workers, marine crew, invoices, and internal documents. As the platform deals with the country’s critical infrastructure, this oversight might introduce great risk.

It might have caused far-reaching consequences, such as disrupting the trade and operations of India’s ports, not to mention the financial implications of significant ransoms demanded for the decryption keys.

According to the CEO of SecurityDiscovery Bob Diachenko, who first identified the leak, it posed a huge reputational risk not only for the port but for the entire country.

“India’s one-window solution for shipping has left its digital keys right under the doormat. Moreover, the door itself was also open. The JS file should not contain hardcoded credentials in the first place and AWS S3 buckets with sensitive data should be private – especially when it is a governmental institution,” explained Cybernews Diachenko.

The leak was disclosed to the NLP platform’s managers, and the problem was fixed.