Sean Hollister, writing for The Verge (gift link):
If you’ve visited a cannabis club in Spain, [Sammy] Azdoufal says, chances
are your photo ID was among them — and possibly your phone
number, address, your favorite strains of cannabis, and how much
you consumed each month while there. Azdoufal says celebrities are
in the database, too, and visitors from all over the world,
including 30,000 from the United States. “They have famous
people,” says Azdoufal. “People who don’t want everyone to know
they smoke weed.”But when Azdoufal decompiled that PuffPal app, he explains in his
report, he discovered that Nefos had no meaningful level of
security. He discovered a secret key for the Stripe payments
platform sitting inside the app in plain text. He discovered he
could pull up any member’s profile just by changing one number. If
those profiles included their phone number, home address,
passport, and weed preferences, he now had access to them too.And then, he discovered that those passports, drivers licenses,
and photo IDs were stored at public URLs as simple as this:
https://ccsnubev2.com/v8/images/_{club}/ID/{user_id}-front.jpgThose clubs were uploading 5,000 new photo IDs with these insecure
URLs every day, Azdoufal tells me.
Azdoufal’s full report on the leak, including the ease with which he discovered it, is worth reading.
Note what happened. A high-value credential — a passport — was
used in an ancillary low-value authentication system: ID
verification for cannabis dispensaries. And it’s the low-value
system that got hacked, putting the high-value credential at risk.
Access to cannabis clubs has to be age verified. The security ought not be shit, but age verification is part of the industry. But now think about the legislation being proposed and passed around the world requiring age verification for just doing anything online. These sort of identity leaks are the inevitable result.
