Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nevada Website Bug Leaks Thousands of Medical Marijuana Dispensary Applications (zdnet.com)

Posted by BeauHD on from the sure-to-cause-a-headache dept.

An anonymous reader quotes a report from ZDNet: Nevada's state government website has leaked the personal data on over 11,700 applicants for dispensing medical marijuana in the state. Each application, eight pages in length, includes the person's full name, home address, citizenship, and even their weight and height, race, and eye and hair color. The applications also include the applicant's citizenship, their driving license number (where applicable), and social security number. Security researcher Justin Shafer found the bug in the state's website portal, allowing anyone with the right web address to access and enumerate the thousands of applications. Though the medical marijuana portal can be found with a crafted Google search query, we're not publishing the web address out of caution until the bug is fixed. A spokesperson for the Nevada Dept. Health and Human Services, which runs the medical marijuana application program, told ZDNet that the website has been pulled offline to limit the vulnerability. The spokesperson added that the leaked data was a "portion" of one of several databases.

30 of 55 comments (clear)

  1. Just say you're authorized by Anonymous Coward · · Score: 1

    Anyone with the right web address? That's not just a bug, it's plain incompetence.

    To every one of those applicants, it may have well been the entire database.

    1. Re:Just say you're authorized by PolygamousRanchKid+ · · Score: 1

      Anyone with the right web address? That's not just a bug, it's plain incompetence.

      Yeah . . . what were those guys smoking, when they set that up . . . ?

      . . . maybe they were doing Whippets, as well . . . ?

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    2. Re:Just say you're authorized by drinkypoo · · Score: 1

      . . . maybe they were doing Whippets, as well . . . ?

      Bestiality is illegal in the state of Nevada. I think you want "Whip-Its". Or what I found cheapest on eBay, "Mr. Cream". Since basically all N2O is made by a couple of companies, the only difference is in the capsules themselves. Their dimensions can vary slightly, and it may be necessary to purchase a "replacement" capsule-holding part (the part that the capsule goes into) in order to have some capsules release correctly into your whipped cream canister. Ever since I got into reducing sugar in my diet I've been into making my own whipped cream, and I've stupidly been buying capsules from a semi-local restaurant supply store which actually costs more than my favorite head shop. It's not like you can't make it with a stand mixer (or just stand there and hold the mixer like any poor plebian) but it doesn't come out as fluffy.

      Don't do whippets. They're just too small. Poor things.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:Just say you're authorized by bobjr94 · · Score: 2

      I was looking up an order on a stores website once, I noticed the url was just like suckywebstore.com/order?11567 . Out of curiosity I changed the last digit of the order page url (maybe like 11567 to 11566) and it then showed me the complete order for another customer, and changing the number to any other number less then showed that order's info.

      That order page showed the customer address, phone #, email address, items ordered, last 4 of the CC # & date, shipping, time and date of the order.

      That first thing I thought of was a scammer could call or email any customer, Say - Hi Todd, this is joe from suckystore.com and your order for the 3 dvd players and 2 cables last tuesday didn't get approved, can I get that credit card number from you again ? it was missing one number - Since you had all their order information most people would be sure it was a real call/email and would not hesitate to give you that credit card again. And because you had the customers full name & address it would be very easy to go on a shopping spree with out asking for revealing information.

  2. Dude by turkeydance · · Score: 1

    don't do that. ok?

  3. What? by alzoron · · Score: 1

    weight and height, race, and eye and hair color.

    Why the hell is that on the application?

    1. Re:What? by ScentCone · · Score: 1

      weight and height, race, and eye and hair color.

      Why the hell is that on the application?

      For the same reason it's on, say, the paperwork for someone who wants to fly a 4-pound plastic toy with a camera on it in order to save themselves the risk of climbing up a ladder to give someone a quote for $75 worth of roof gutter cleaning. For the same reason the government wants to know the eye and hair color of a farmer who buys a $100 rimfire .22 rifle to use on rodents around his grain storage.

      --
      Don't disappoint your bird dog. Go to the range.
    2. Re:What? by Osgeld · · Score: 1

      pretty much the same thing on your drivers licence that you flash to random people all the time whenever you want to buy hooch, tobacco, enter a club, get pulled over for speeding, or enter a titty bar

      for pretty much the same reason's, to make sure stephen didnt swap photo's from leon's ID (course nowdays its much harder, but even 20 years ago it required a razor blade and not much else) cause in the real world, it takes a bit more than a wink and a pinky swear to do such activities as produce and distrubuite items for human consumption dipshit

    3. Re:What? by swb · · Score: 1

      Probably to mollify the feds under the Justice Department guidelines for state-level marijuana legalization. Pull out all the stops to demonstrate how much control you're imposing.

  4. Re:Thousands?? by redmid17 · · Score: 1

    I'd mod you as illiterate but I don't want to waste the point.

  5. Re:But by Narcocide · · Score: 2

    Some information clearly wants to be free whether you like it or not. A socially mature society, however, would be able to distinguish this from identity theft.

  6. Re: How convenient by drinkypoo · · Score: 1

    These are people registering to set up dispensaries. That's right... 11,000 dispensaries in one state. It's Cheech & Chong's wet dream.

    Except Nevada has a long history of being way beyond strict; see the gaming commission for details. They're not going to approve any 11,000 dispensaries.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  7. Re:How convenient by Anonymous Coward · · Score: 1

    Going AC because I don't just tell everyone, but I smoke marijuana.

    This is the reason I don't get a "red card", which is what they call the medical marijuana card here in Colorado.

    I'm not so worried about the federal government arresting me for being a casual user, but if a potential employer discovered that information it might mean no job offer. I have no problem stopping long enough to pass a drug test if that's what they want.

    Before recreational sales I just stuck with the black market. My supplier told me it was diverted from otherwise state-legal medical marijuana grows anyway. I say "supplier" because he wasn't really a dealer, just a friend with better connections than me who would get a bag for me when he got his own. The law would call him a dealer though.

    Now I just run down to the store and pick some up. Medical sales are not subject to as much tax though and it's much cheaper if you incur that one-time cost for a doctor recommendation.

    One store has a "frequent buyer program" which of course requires your data in their own database in their little storefront. IIRC, after spending $750 at their store you get.....a free disposable lighter! They were higher tier rewards, but I stopped reading right there. I spend about $100 a month and I don't always shop there anyway.

    These frequent buyer programs strike me as odd anyway, but they're not uncommon among liquor stores here. They're really a rip-off IMO. I'm top tier at one liquor store and they always tell me "oh, and with that your total is $17.36" (I always buy the same thing). Really? That's about what everybody else charges anyway whether they have a rewards program or not.

    I can sense I'm starting to ramble, but I highly (heh, I didn't even mean that as a pun but I'll allow it) recommend the Glass Slipper which is described as "a sativa-dominant hybrid described to have a nice cerebral effect with a sweet, somewhat fruity flavor profile." I remember buying pot about 25 years ago and my dealer when asked how good it was would often say "It'll get you high" - which meant it was crappy Mexiweed with seeds and stems.

  8. Re:Thousands?? by msauve · · Score: 1

    "That many people need MJ to treat their specific condition?"

    What's Michael Jordan got to do with it?

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  9. Hmmm by burtosis · · Score: 3, Funny

    eye color

    - pretty sure that would be red on every application.

    1. Re:Hmmm by Highdude702 · · Score: 1

      Had i not commented, You sir would have gotten modded to +5

  10. Re:How convenient by burtosis · · Score: 1

    That's 11,700 less records they'll have to provide to the feds under subpoena when Trump's stormtroopers show up with helicopters and assault rifles to take all that nasty devil weed away.

    Don't be silly, they will send the storm troopers in APCs. Snipers go in the helicopters.

    Anyone who voluntarily registers for one of these programs is a maroon. It's still a federal crime, kids.

    Assuming you meant moron instead of an obtuse racial slur lol.

  11. Re:Thousands?? by Ol+Olsoc · · Score: 2

    That many people need MJ to treat their specific condition?

    Yes. A lot of people are in constant pain. And opioids are an issue with addiction, and when doctors take the patient off of the vicodin or whatever they were on, kow what many turn to? Heroin. This is conjecture, but if more people could legally use ganja as a way to help allay chronic pain, there will probably be less heroin addicts.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  12. Re:Thousands?? by frovingslosh · · Score: 1

    That many people need MJ to treat their specific condition?

    At least in California, the medical "need" is a joke. Virtually anything qualifies, including anxiety about getting caught with the drug without a "weed card". I expect it is the same in neighboring Nevada.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  13. Re:How convenient by Anonymous Coward · · Score: 1

    Stormtroopers indeed..

    Dispensary Raids Rise Under Obama Regime - Green Rush Daily
    https://www.greenrushdaily.com/2016/02/24/dispensary-raids-rise-obama-regime/

    Obama's War on Pot - Rolling Stone
    http://www.rollingstone.com/politics/news/obamas-war-on-pot-20120216

    Obama's War on Pot | The Nation
    https://www.thenation.com/article/obamas-war-pot/

    Obama Explains Increasing Medical Marijuana Crackdowns, Raids In
    http://www.huffingtonpost.com/2012/04/25/obama-marijuana-raids-rolling-stone_n_1451744.html

    Judging From Prosecutions, Obama Is 80 Percent Worse Than Bush ...
    http://reason.com/blog/2013/06/14/obama-is-80-percent-worse-than-bush-on-m

    Obama's medical marijuana prosecutions probably aren't legal - Slate
    http://www.slate.com/articles/news_and_politics/jurisprudence/2016/04 /obama_s_medical_marijuana_prosecutions_probably_aren_t_legal.html

    and so on...

  14. Re:Thousands?? by ChoGGi · · Score: 1

    Nothing, they meant ground up Micheal Jackson nose candy.

  15. Re: How convenient by geekmux · · Score: 1

    These are people registering to set up dispensaries. That's right... 11,000 dispensaries in one state. It's Cheech & Chong's wet dream.

    Except Nevada has a long history of being way beyond strict; see the gaming commission for details. They're not going to approve any 11,000 dispensaries.

    How ironic you want to talk about "strict" regarding the state that has built up the largest legal gambling mecca in the known universe, in the face of the rest of the country that hardly even allows a dog track to operate.

    Oh, and let's not forget the whorehouses too. Strict my ass. Nevada will legalize and approve anything that brings them revenue, morality be damned. The only thing standing in the way of 11,000 dispensaries is the alcohol mafia, because they know what people will ultimately prefer.

  16. Jailed for security research! by mbeckman · · Score: 1

    This message was relayed to be by an inmate at a Texas jail facility: "I'm writing this from the Dallas PD lockup. I was out in the Ft. Worth area doing security research of residential door knobs, testing which doors might be open and thus exposing housing to breaches. Some guy named Justin Shafer confronted me when I apparently accessed the knobs on his house. He called the cops and now I'm charged with attempted burglary! I explained that my intentions were purely honorable; after all, I'm not a thief! Yes, it's true, I copied some of his mail off the desk in the den, but that was just so I could prove the vulnerability to the gan... er, security community. Anyway, the arraignment didn't go so well, even after I explained that the judge should be thanking me. So I've got a contempt citation too. All I can say is, thank goodness for identity theft!

  17. re: Nevada Website Bug Leaks Thousands of Medical by rickyslashdot · · Score: 1

    OMG ! The marijuana industry just got a BIG promotional boost - all for free - from the news that there will be a dispensary coming to your neighborhood soon - - - lol

    --
    redneck geek
  18. Re:Thousands?? by Highdude702 · · Score: 2

    Oh hi, everyone commenting on this..

    I live in Las Vegas. We have recently legalized Recreational use of marijuana(been waiting for this since i was a kid). So with that said, There are about +/-20 Actual MEDICAL dispensaries around town. But my suspicions lead me to believe that this isn't a database of Medical Dispensary applicants, but a database with the people that were recently allowed to apply to become commercial Recreational Marijuana Dispensaries.

    Just figured i would add my two pennies to this, As after the first of the year i will be too high to remember where i actually put the two pennies. :)

  19. Re:Government coercion is disgusting; need to end by Highdude702 · · Score: 1
    I think you are mistaken here, The government "Creating money" is what devalued out dollar so far.. so lets make more and see how that goes?

    Yea i don't think so

  20. Re: How convenient by Highdude702 · · Score: 1

    God i love my state! Thank you for pointing out all of the AWESOME that happens here in Nevada!

  21. Re: How convenient by apparently · · Score: 1

    These are people registering to be patients, not registering to open dispensaries, you illiterate fucking idiot.

  22. Re:But by Highdude702 · · Score: 1

    They already have that information, They just like to waste our time and money on repetitiveness.

  23. Re:Thousands?? by Highdude702 · · Score: 1

    How did you know my name? From the looks of that, it is to become an employee(agent) of a MME(Medical Marijuana Establishment) Not a dispensary itsself.