Nevada Website Bug Leaks Thousands of Medical Marijuana Dispensary Applications

An anonymous reader quotes a report from ZDNet: Nevada's state government website has leaked the personal data on over 11,700 applicants for dispensing medical marijuana in the state. Each application, eight pages in length, includes the person's full name, home address, citizenship, and even their weight and height, race, and eye and hair color. The applications also include the applicant's citizenship, their driving license number (where applicable), and social security number. Security researcher Justin Shafer found the bug in the state's website portal, allowing anyone with the right web address to access and enumerate the thousands of applications. Though the medical marijuana portal can be found with a crafted Google search query, we're not publishing the web address out of caution until the bug is fixed. A spokesperson for the Nevada Dept. Health and Human Services, which runs the medical marijuana application program, told ZDNet that the website has been pulled offline to limit the vulnerability. The spokesperson added that the leaked data was a "portion" of one of several databases.

Re:But

[Narcocide]

Some information clearly wants to be free whether you like it or not. A socially mature society, however, would be able to distinguish this from identity theft.

Hmmm

[burtosis]

eye color

- pretty sure that would be red on every application.

Re:Thousands??

[Ol+Olsoc]

That many people need MJ to treat their specific condition?

Yes. A lot of people are in constant pain. And opioids are an issue with addiction, and when doctors take the patient off of the vicodin or whatever they were on, kow what many turn to? Heroin. This is conjecture, but if more people could legally use ganja as a way to help allay chronic pain, there will probably be less heroin addicts.

Re:Just say you're authorized

[bobjr94]

I was looking up an order on a stores website once, I noticed the url was just like suckywebstore.com/order?11567 . Out of curiosity I changed the last digit of the order page url (maybe like 11567 to 11566) and it then showed me the complete order for another customer, and changing the number to any other number less then showed that order's info.

That order page showed the customer address, phone #, email address, items ordered, last 4 of the CC # & date, shipping, time and date of the order.

That first thing I thought of was a scammer could call or email any customer, Say - Hi Todd, this is joe from suckystore.com and your order for the 3 dvd players and 2 cables last tuesday didn't get approved, can I get that credit card number from you again ? it was missing one number - Since you had all their order information most people would be sure it was a real call/email and would not hesitate to give you that credit card again. And because you had the customers full name & address it would be very easy to go on a shopping spree with out asking for revealing information.

Re:Thousands??

[Highdude702]

Oh hi, everyone commenting on this..

I live in Las Vegas. We have recently legalized Recreational use of marijuana(been waiting for this since i was a kid). So with that said, There are about +/-20 Actual MEDICAL dispensaries around town. But my suspicions lead me to believe that this isn't a database of Medical Dispensary applicants, but a database with the people that were recently allowed to apply to become commercial Recreational Marijuana Dispensaries.

Just figured i would add my two pennies to this, As after the first of the year i will be too high to remember where i actually put the two pennies. :)