Security16.07.2024

Security vulnerability in Temu and Shein deliveries in South Africa

Buffalo International Logistics is leaking private customer information through at least one exposed cloud storage bucket.

The bucket contains photos of parcels showing people’s names, addresses, phone numbers, and tracking numbers.

It also has screenshots of WhatsApp conversations between couriers and customers, and photos of the front of people’s houses.

Buffalo International Logistics is a specialist China-Africa import and customs clearance provider to e-commerce services like Shein and Temu.

The company has seen explosive growth in recent years thanks to the increasing popularity of the Chinese online retailers in South Africa.

Temu and Shein’s local success is in no small part thanks to the rapid customs clearance and speedy delivery provided by Buffalo.

South African clothing retailer Zando also recently partnered with Buffalo to provide logistics for Zando Global, an import service developed to compete with Shein and Temu.

Although Buffalo was founded in 2017, its stratospheric rise only started recently — over two years after Shein entered the South African market in 2020.

While Shein uses two logistics providers in South Africa, Buffalo International Logistics is a cornerstone of its success.

Shein’s popularity skyrocketed in 2023 — the same year Buffalo received its Level 1 Authorised Economic Operator (AEO) accreditation from the South African Revenue Service (SARS).

SARS issued the certification for five years and explained that it grants Buffalo access to expedited processes, fewer and faster inspections, exemptions from certain customs supervision, and reduced security deposits.

“We are the logistics company with the lowest inspection rate and the highest pass rate in the Johannesburg airport customs over the years,” Buffalo’s website states.

Buffalo said it ships products in bulk to its sorting centre in South Africa and uses local couriers to do fast last-mile deliveries.

The company has grown so rapidly that it bought Lufthansa’s old South African headquarters in October 2022 and turned it into a 25,000-square-meter sorting centre.

It also said it has integrated with South African customs, local banking systems, and several express companies. It also owns a fleet of 300 vehicles.

A Temu parcel handled by Buffalo International Logistics

Exposed cloud storage bucket

A MyBroadband reader alerted us that Buffalo was using an improperly secured cloud storage bucket when the company failed to respond to his attempts to inform them about the vulnerability.

The bucket is on Huawei’s cloud platform and appears to be hosted in one of its South African data centres.

MyBroadband contacted Buffalo Logistics via email and telephone to coordinate disclosure of the vulnerability.

A support agent took our details and said they would get someone to call us back. No call was received. The company also did not respond to our email.

Despite being the simplest part of cloud infrastructure, improperly configured storage buckets continue to be a headache for organisations.

Last year, cloud security company Wiz found that Microsoft’s AI research team accidentally exposed a large cache of private data online.

They leaked the data while publishing open-source training data on GitHub, a Microsoft-owned developer platform for sharing and collaborating on code. It can also be used as a file repository.

The researchers urged users to download AI models from a cloud storage URL.

However, the cloud storage bucket was misconfigured to grant permissions on the entire storage account, and it also granted users full control permissions, as opposed to read-only, meaning they could delete and overwrite existing files.

The blunder was even more embarrassing considering that Microsoft itself is a hyperscaler. It operates Azure, one of the top three cloud platforms in the world.

Wiz found an exposed storage bucket containing Microsoft employees’ personal computer backups, which contained passwords to Microsoft services, secret keys and more than 30,000 internal Microsoft Teams messages from 359 Microsoft employees.

There was one marked difference between the Microsoft incident and Buffalo, however.

Wiz notified Microsoft about the problem and the company moved quickly to remove the exposed data.

Microsoft also said no customer data was exposed, and no other internal services were put at risk.

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter