Nevada Website Bug Leaks Thousands of Medical Marijuana Dispensary Applications

An anonymous reader quotes a report from ZDNet: Nevada's state government website has leaked the personal data on over 11,700 applicants for dispensing medical marijuana in the state. Each application, eight pages in length, includes the person's full name, home address, citizenship, and even their weight and height, race, and eye and hair color. The applications also include the applicant's citizenship, their driving license number (where applicable), and social security number. Security researcher Justin Shafer found the bug in the state's website portal, allowing anyone with the right web address to access and enumerate the thousands of applications. Though the medical marijuana portal can be found with a crafted Google search query, we're not publishing the web address out of caution until the bug is fixed. A spokesperson for the Nevada Dept. Health and Human Services, which runs the medical marijuana application program, told ZDNet that the website has been pulled offline to limit the vulnerability. The spokesperson added that the leaked data was a "portion" of one of several databases.

Just say you're authorized

Anyone with the right web address? That's not just a bug, it's plain incompetence.

To every one of those applicants, it may have well been the entire database.

Re:Just say you're authorized

[PolygamousRanchKid+]

Anyone with the right web address? That's not just a bug, it's plain incompetence.

Yeah . . . what were those guys smoking, when they set that up . . . ?

. . . maybe they were doing Whippets, as well . . . ?

Re:Just say you're authorized

Considering that it is the Nevada state gov, I would imagine it to be sober incompetence with an eye towards gaining the favor of the soon-to-be AG, Jeff Sessions who has a massive desire to put all them dispensary owners behind bars

Re:Just say you're authorized

[drinkypoo]

. . . maybe they were doing Whippets, as well . . . ?

Bestiality is illegal in the state of Nevada. I think you want "Whip-Its". Or what I found cheapest on eBay, "Mr. Cream". Since basically all N2O is made by a couple of companies, the only difference is in the capsules themselves. Their dimensions can vary slightly, and it may be necessary to purchase a "replacement" capsule-holding part (the part that the capsule goes into) in order to have some capsules release correctly into your whipped cream canister. Ever since I got into reducing sugar in my diet I've been into making my own whipped cream, and I've stupidly been buying capsules from a semi-local restaurant supply store which actually costs more than my favorite head shop. It's not like you can't make it with a stand mixer (or just stand there and hold the mixer like any poor plebian) but it doesn't come out as fluffy.

Don't do whippets. They're just too small. Poor things.

Re:Just say you're authorized

[bobjr94]

I was looking up an order on a stores website once, I noticed the url was just like suckywebstore.com/order?11567 . Out of curiosity I changed the last digit of the order page url (maybe like 11567 to 11566) and it then showed me the complete order for another customer, and changing the number to any other number less then showed that order's info.

That order page showed the customer address, phone #, email address, items ordered, last 4 of the CC # & date, shipping, time and date of the order.

That first thing I thought of was a scammer could call or email any customer, Say - Hi Todd, this is joe from suckystore.com and your order for the 3 dvd players and 2 cables last tuesday didn't get approved, can I get that credit card number from you again ? it was missing one number - Since you had all their order information most people would be sure it was a real call/email and would not hesitate to give you that credit card again. And because you had the customers full name & address it would be very easy to go on a shopping spree with out asking for revealing information.

Re:Just say you're authorized

What they're smoking? The dick of Satan or Hitler, however you want to phrase it, that's what they are smoking. It's what their parents smoked, too.

Dude

[turkeydance]

don't do that. ok?

Thousands??

That many people need MJ to treat their specific condition?

Re:Thousands??

[redmid17]

I'd mod you as illiterate but I don't want to waste the point.

Re:Thousands??

[msauve]

"That many people need MJ to treat their specific condition?"

What's Michael Jordan got to do with it?

Re:Thousands??

[Ol+Olsoc]

That many people need MJ to treat their specific condition?

Yes. A lot of people are in constant pain. And opioids are an issue with addiction, and when doctors take the patient off of the vicodin or whatever they were on, kow what many turn to? Heroin. This is conjecture, but if more people could legally use ganja as a way to help allay chronic pain, there will probably be less heroin addicts.

Re:Thousands??

If ignorance is bliss, I envy a mind so unmolested by experience that (some constant100)*(10^3) is still perceived to be a large quantity.
There are 319*(10^6) people in the United States and ~7.4*(10^7) people on this planet.

2.839*(10^6) of them live in Nevada.
2,839,000/500000 = 5.6 people/dispensary
2,839,000/50000 = 56 people/dispensary
2,839,000/5000 = 560 people/dispensary
2,839,000/1000 = 2839 people/dispensary

Actually, I take it back: Even under the mildest of assumptions that dispensary per person ratio is pretty fucking high.

To put this in perspective: there are ~200 gas stations in Las Vegas according to Google Maps. That works out to 3,000 people for every gas station.

With this in mind: do you need a medical marijuana dispensary for every 2,839 HEALTHY people in a state?
Even if ~50% of them needed medical marijuana that is still only ~1420 prospective customers per dispensary.

Re:Thousands??

[frovingslosh]

That many people need MJ to treat their specific condition?

At least in California, the medical "need" is a joke. Virtually anything qualifies, including anxiety about getting caught with the drug without a "weed card". I expect it is the same in neighboring Nevada.

Re:Thousands??

[ChoGGi]

Nothing, they meant ground up Micheal Jackson nose candy.

Re:Thousands??

According to Norml, there is an estimated 20,773 registered patients that have prescriptions for medical marijuana. The application is also for establishing cultivation.

Re:Thousands??

[Highdude702]

Oh hi, everyone commenting on this..

I live in Las Vegas. We have recently legalized Recreational use of marijuana(been waiting for this since i was a kid). So with that said, There are about +/-20 Actual MEDICAL dispensaries around town. But my suspicions lead me to believe that this isn't a database of Medical Dispensary applicants, but a database with the people that were recently allowed to apply to become commercial Recreational Marijuana Dispensaries.

Just figured i would add my two pennies to this, As after the first of the year i will be too high to remember where i actually put the two pennies. :)

Re:Thousands??

Yo, stoner. Just read TFA and look down at the bottom. There's a actual application shown with redacted fields applicant information. It clearly says that the applicant will be an agent for "Medical Marijuana Establishments".

Re:Thousands??

[Highdude702]

How did you know my name? From the looks of that, it is to become an employee(agent) of a MME(Medical Marijuana Establishment) Not a dispensary itsself.

What?

[alzoron]

weight and height, race, and eye and hair color.

Why the hell is that on the application?

Re:What?

[ScentCone]

weight and height, race, and eye and hair color.

Why the hell is that on the application?

For the same reason it's on, say, the paperwork for someone who wants to fly a 4-pound plastic toy with a camera on it in order to save themselves the risk of climbing up a ladder to give someone a quote for $75 worth of roof gutter cleaning. For the same reason the government wants to know the eye and hair color of a farmer who buys a $100 rimfire .22 rifle to use on rodents around his grain storage.

Re:What?

So that the information matches up with the person on the photo ID and fingerprints.

Re:What?

[Osgeld]

pretty much the same thing on your drivers licence that you flash to random people all the time whenever you want to buy hooch, tobacco, enter a club, get pulled over for speeding, or enter a titty bar

for pretty much the same reason's, to make sure stephen didnt swap photo's from leon's ID (course nowdays its much harder, but even 20 years ago it required a razor blade and not much else) cause in the real world, it takes a bit more than a wink and a pinky swear to do such activities as produce and distrubuite items for human consumption dipshit

Re:What?

[swb]

Probably to mollify the feds under the Justice Department guidelines for state-level marijuana legalization. Pull out all the stops to demonstrate how much control you're imposing.

But

I thought "information wants to be free"? Or does that just pertain to everybody else's information?

Re:But

[Narcocide]

Some information clearly wants to be free whether you like it or not. A socially mature society, however, would be able to distinguish this from identity theft.

Re:But

Why does the government need all that personal information?

Re:But

[Highdude702]

They already have that information, They just like to waste our time and money on repetitiveness.

Government coercion is disgusting; need to end gov

The only way we're going to get away from the violence, coercion, theft, and fraud that government is is by eliminating it. I'm not a conservative, republican, or democrat. I want an end to the state because the state is violent. I don't think the government has any business in setting up wealth redistribution programs or telling people what they can or can't put in their own body. I don't think the government has any right to say who can and can't drive (drivers licenses, vehicular registration, insurance, etc). The government should be almost non-existent. We don't need board walls or guards. We don't need a state police. We don't need a lot of things and in the process of those who wish to get those things they currently depend on violence to achieve them via theft of funds from other non-voluntary participants. If you want security you should be free to purchase it or join with others whom want such things (there are even apps for smart phones to achieve that in a zero cost way; look up Cell 411). I hope to eliminate government by telling others about a movement for those of us who put freedom above "safety" and don't think the government should be setting up wealth redistributions programs or licensing drivers or even setting up check points (at the board or otherwise). Life has risks and trying to eliminate all risk doesn't end the way I want it to. It ends in a terrible police state that I'd rather not live in. http://www.freestateproject.org/ for migration effort of liberty-minded people http://www.freeekeene.com/ for liberty-oriented news in New Hampshire (destination of the liberty-minded).

How convenient

[drinkypoo]

That's 11,700 less records they'll have to provide to the feds under subpoena when Trump's stormtroopers show up with helicopters and assault rifles to take all that nasty devil weed away.

Anyone who voluntarily registers for one of these programs is a maroon. It's still a federal crime, kids.

Re: How convenient

These are people registering to set up dispensaries. That's right... 11,000 dispensaries in one state. It's Cheech & Chong's wet dream.

Re:How convenient

I'm not maroon, you insensitive clod! I'm purple! I'm also a patient in Nevada.

I can't say that I've ever spoken to a federal officer, other than possibly at an airport or boarder. I have, however, talked to state and local police, including having a warrant served on my home to search for someone that I've never met (that's how they found my 0.34g of weed). It's a hell of a lot easier to go on a yearly scavenger hunt (Department of Health, doctor, notary, Department of Health) and pay a couple hundred dollars, rather than possible criminal charges and job loss.

I don't want to stop using weed, and I don't want to be a criminal, these laws have allowed me to do both.

Re: How convenient

Reagan distracted the country from his unprecedented deficits and debt run-up with the War on Drugs.

Re: How convenient

[drinkypoo]

These are people registering to set up dispensaries. That's right... 11,000 dispensaries in one state. It's Cheech & Chong's wet dream.

Except Nevada has a long history of being way beyond strict; see the gaming commission for details. They're not going to approve any 11,000 dispensaries.

Re:How convenient

... show up with helicopters and assault rifles to take all that nasty devil weed away.

Ahh, yes: First Trump is going to let corporations rob us blind, now Trump is going to rob the corporations. In that case, I'm all for him. Bush junior was the biggest corporate sell-out by a dozen light-years and no-one whinges about his reign of terror. Trump hasn't even started work and the bullshit is waist-high. Have the bat-shit crazy got nothing more important to do than endless whinging?

Re:How convenient

Going AC because I don't just tell everyone, but I smoke marijuana.

This is the reason I don't get a "red card", which is what they call the medical marijuana card here in Colorado.

I'm not so worried about the federal government arresting me for being a casual user, but if a potential employer discovered that information it might mean no job offer. I have no problem stopping long enough to pass a drug test if that's what they want.

Before recreational sales I just stuck with the black market. My supplier told me it was diverted from otherwise state-legal medical marijuana grows anyway. I say "supplier" because he wasn't really a dealer, just a friend with better connections than me who would get a bag for me when he got his own. The law would call him a dealer though.

Now I just run down to the store and pick some up. Medical sales are not subject to as much tax though and it's much cheaper if you incur that one-time cost for a doctor recommendation.

One store has a "frequent buyer program" which of course requires your data in their own database in their little storefront. IIRC, after spending $750 at their store you get.....a free disposable lighter! They were higher tier rewards, but I stopped reading right there. I spend about $100 a month and I don't always shop there anyway.

These frequent buyer programs strike me as odd anyway, but they're not uncommon among liquor stores here. They're really a rip-off IMO. I'm top tier at one liquor store and they always tell me "oh, and with that your total is $17.36" (I always buy the same thing). Really? That's about what everybody else charges anyway whether they have a rewards program or not.

I can sense I'm starting to ramble, but I highly (heh, I didn't even mean that as a pun but I'll allow it) recommend the Glass Slipper which is described as "a sativa-dominant hybrid described to have a nice cerebral effect with a sweet, somewhat fruity flavor profile." I remember buying pot about 25 years ago and my dealer when asked how good it was would often say "It'll get you high" - which meant it was crappy Mexiweed with seeds and stems.

Re:How convenient

[burtosis]

That's 11,700 less records they'll have to provide to the feds under subpoena when Trump's stormtroopers show up with helicopters and assault rifles to take all that nasty devil weed away.

Don't be silly, they will send the storm troopers in APCs. Snipers go in the helicopters.

Anyone who voluntarily registers for one of these programs is a maroon. It's still a federal crime, kids.

Assuming you meant moron instead of an obtuse racial slur lol.

Re:How convenient

Stormtroopers indeed..

Dispensary Raids Rise Under Obama Regime - Green Rush Daily
https://www.greenrushdaily.com/2016/02/24/dispensary-raids-rise-obama-regime/

Obama's War on Pot - Rolling Stone
http://www.rollingstone.com/politics/news/obamas-war-on-pot-20120216

Obama's War on Pot | The Nation
https://www.thenation.com/article/obamas-war-pot/

Obama Explains Increasing Medical Marijuana Crackdowns, Raids In
http://www.huffingtonpost.com/2012/04/25/obama-marijuana-raids-rolling-stone_n_1451744.html

Judging From Prosecutions, Obama Is 80 Percent Worse Than Bush ...
http://reason.com/blog/2013/06/14/obama-is-80-percent-worse-than-bush-on-m

Obama's medical marijuana prosecutions probably aren't legal - Slate
http://www.slate.com/articles/news_and_politics/jurisprudence/2016/04 /obama_s_medical_marijuana_prosecutions_probably_aren_t_legal.html

and so on...

Re:How convenient

https://youtu.be/Mvh0IktOz24

It's Bugs Bunny intentionally mispronouncing "moron" as "maroon". Just like he mispronounced "ignoramus" as "ignaranomous". Old-time comic Norm Crosby used malapropisms extensively in his stand-up routine. It's entirely for comedic effect and not as a racial slur.

Re: How convenient

[geekmux]

These are people registering to set up dispensaries. That's right... 11,000 dispensaries in one state. It's Cheech & Chong's wet dream.

Except Nevada has a long history of being way beyond strict; see the gaming commission for details. They're not going to approve any 11,000 dispensaries.

How ironic you want to talk about "strict" regarding the state that has built up the largest legal gambling mecca in the known universe, in the face of the rest of the country that hardly even allows a dog track to operate.

Oh, and let's not forget the whorehouses too. Strict my ass. Nevada will legalize and approve anything that brings them revenue, morality be damned. The only thing standing in the way of 11,000 dispensaries is the alcohol mafia, because they know what people will ultimately prefer.

Re: How convenient

How ironic you want to talk about "strict" regarding the state that has built up the largest legal gambling mecca in the known universe

False. Macau surpassed Las Vegas in gambling revenue back in 2007 or so.

http://money.cnn.com/2014/01/0...

Re: How convenient

[Highdude702]

God i love my state! Thank you for pointing out all of the AWESOME that happens here in Nevada!

Re: How convenient

[apparently]

These are people registering to be patients, not registering to open dispensaries, you illiterate fucking idiot.

Re: How convenient

These are people registering to set up dispensaries. That's right... 11,000 dispensaries in one state. It's Cheech & Chong's wet dream.

Except Nevada has a long history of being way beyond strict; see the gaming commission for details. They're not going to approve any 11,000 dispensaries.

Actually, it's applications for Medical Marijuana Cards, not dispensary applications, which are much longer and wouldn't be processed by this state agency (we have about 40-50 dispensaries operating in Clark County, Nevada (where Vegas is located).

The portal processes applications for applications for Medical MJ cards...

Re: How convenient

These are people registering to be patients, not registering to open dispensaries, you illiterate fucking idiot.

Read the article again. It says "applicants for dispensing medical marijuana" The middle part in Italics is the important part. You know that part that says "for dispensing" not "for consuming". AKA not patients, but legal pot dealers. Maybe you should re-read something before you go on your little rant that someone is stupid because maybe they caught something that you missed. You know like right now, at this moment, when you try to attack someone and just look like a jack ass.

Haha, my spidey senses are telling me this was...

due to a poorly written app/site/webservice by a nephew for the dispensary owning uncle or some other amateur hour nonsense.

Re:Government coercion is disgusting; need to end

OK, give that some more thought next time you need to flush the toilet or drive your car somewhere.

Re:Government coercion is disgusting; need to end

"I don't think the government has any business in setting up wealth redistribution programs"

The government should create money for a basic income. Indexation fixes inflation.

Hmmm

[burtosis]

eye color

- pretty sure that would be red on every application.

Re:Hmmm

[Highdude702]

Had i not commented, You sir would have gotten modded to +5

Jailed for security research!

[mbeckman]

This message was relayed to be by an inmate at a Texas jail facility: "I'm writing this from the Dallas PD lockup. I was out in the Ft. Worth area doing security research of residential door knobs, testing which doors might be open and thus exposing housing to breaches. Some guy named Justin Shafer confronted me when I apparently accessed the knobs on his house. He called the cops and now I'm charged with attempted burglary! I explained that my intentions were purely honorable; after all, I'm not a thief! Yes, it's true, I copied some of his mail off the desk in the den, but that was just so I could prove the vulnerability to the gan... er, security community. Anyway, the arraignment didn't go so well, even after I explained that the judge should be thanking me. So I've got a contempt citation too. All I can say is, thank goodness for identity theft!

If people made physical things like software.

If companies that made safes and strong-boxes, and the like had the same record the people who make these things do, they'd be out of business, sued into oblivion or in jail.

Here's an idea... we have professional organizations to ensure standards for professions like doctors, engineers, even cabinet makers I think, are made to certain standards. The IT professions are NO LONGER in their infancies. Why isn't there someone licensing and credentialing the people responsible for making these systems like there are for people who build bridges, roads, office-buildings, apartment buildings, rockets, guns, etc.

Why aren't people required to be properly certified to make software, properly trained, and held accountable when shit like this happens?

Why are we at the mercy of these people? Can they really NOT do better? Modern conventional wisdom is that nothing is incapable of being hacked, but I beg to differ. I own a wristwatch that cannot be. Not by a hacker, not over the internet. Because it's not connected to it, it's not capable of being connected to it. So there goes that theory. A bottle of water cannot be hacked. There's nothing you can do as a hacker using the internet to alter the water and make it anything else. Even if you could convince someone using hacking skills or tools to add something to the water changing it, you don't know where the water is, and can't find out using the internet.

Let's suppose nothing is not hackable... well, let's say things can at least be made ridiculously hard to hack, prohibitively hard, and that's the way things should be when they put people's personal, private information in them and if they are not willing, ready and able to do so, they should not be allowed to make or sell, or buy or use software that isn't certifiable and certified, just as someone who recklessly fails to protect that which it is their duty to protect is liable in the eyes of the law.

So it should be with the writers of software, maintainers of data systems, etc. When someone screws up like this, it should not be the innocent who trusted that their software was worth a fuck, but the person or people responsible for the fact that it isn't worth a fuck, from a security perspective.

re: Nevada Website Bug Leaks Thousands of Medical

[rickyslashdot]

OMG ! The marijuana industry just got a BIG promotional boost - all for free - from the news that there will be a dispensary coming to your neighborhood soon - - - lol

Re:Government coercion is disgusting; need to end

[Highdude702]

I think you are mistaken here, The government "Creating money" is what devalued out dollar so far.. so lets make more and see how that goes?

Yea i don't think so

difficulty: n00b

took all of about 15 seconds to find... name, social, ph num... everything anyone would want for identity theft.. this is potentially terrible for anyone that applied

Re:Government coercion is disgusting; need to end

yeah,

No. I do not think you understand what money is. Maybe you should take an economics class?