Who developed the PuffPal app containing a secret key for Stripe payments?

The PuffPal app was developed by 9Series for Cannabis Club Systems (CCS).

Million Passports Exposed: Cannabis Club Systems' Security Lapse

Q: What was discovered by the security researcher?

The security researcher found that over 985,000 photo IDs were stored at public URLs with no password or access control.

Q: What actions has CCS taken in response to the discovery of the exposed data?

CCS has shut down its entire PuffPal system and vulnerable APIs until they can be fixed. The company has also informed local authorities and will take responsibility to make fixes, pay fines, and tell users what happened.

A security researcher discovers over 985,000 photo IDs left unprotected on the public internet, including passports and driver's licenses. The data was linked to a verification system used by Spanish cannabis clubs.

Nearly a million passports and photo IDs were left unprotected on the public internet, exposing sensitive personal data of individuals from around the world.

What Happened

A security researcher discovered that over 985,000 photo IDs were stored at public URLs with no password or access control. The IDs included passports, driver's licenses, and other forms of identification. The researcher used an automated tool to find the exposed data, which was linked to a verification system used by cannabis clubs in Spain.

The verification system, developed by Cannabis Club Systems (CCS), allowed receptionists to upload users' identity documents and selfies to Nefos' cloud. However, the researcher found that the company had no meaningful level of security, with sensitive data exposed at public URLs. The IDs were stored in a format that could be easily accessed by anyone who knew the URL.

The researcher also discovered that the cannabis clubs were uploading 5,000 new photo IDs every day to these insecure URLs. This meant that thousands of individuals had their personal data exposed without their knowledge or consent.

Background and Context

Cannabis Club Systems (CCS) provides software for sales, accounting, and admissions to cannabis clubs in Spain. The company's verification system allows receptionists to upload users' identity documents and selfies to Nefos' cloud. However, the researcher found that CCS had no meaningful level of security, with sensitive data exposed at public URLs.

The researcher also discovered that the PuffPal app, developed by 9Series for CCS, contained a secret key for the Stripe payments platform in plain text. This meant that anyone who gained access to the app could potentially steal users' payment information.

CCS has since shut down its entire PuffPal system and vulnerable APIs until they can be fixed. The company has also informed local authorities and will take responsibility to make fixes, pay fines, and tell users what happened.

Why it Matters

The exposure of sensitive personal data on the public internet is a serious concern for individuals and companies alike. In this case, the data exposed included passports, driver's licenses, and other forms of identification. This type of data can be used for identity theft, financial fraud, and other malicious activities.

For adult-industry platforms and operators, the exposure of sensitive personal data is particularly concerning. The industry already faces significant challenges in terms of age verification, moderation, and cybersecurity. The exposure of sensitive personal data can exacerbate these challenges and put individuals at risk.

What Comes Next

CCS has taken steps to address the issue by shutting down its PuffPal system and vulnerable APIs until they can be fixed. However, the company still faces significant questions about how this happened and what measures it will take to prevent similar incidents in the future.

The researcher who discovered the exposed data has called for greater transparency and accountability from companies that handle sensitive personal data. He argues that companies must prioritize security and take steps to protect users' data, rather than simply responding to incidents after they occur.

Key Facts

Nearly a million passports and photo IDs were left unprotected on the public internet.
The exposed data included passports, driver's licenses, and other forms of identification.
The data was linked to a verification system used by cannabis clubs in Spain.
CCS had no meaningful level of security, with sensitive data exposed at public URLs.
The company has since shut down its PuffPal system and vulnerable APIs until they can be fixed.

In related news, several other companies have faced similar incidents involving the exposure of sensitive personal data. In 2022, a massive trove of over 120,000 passports and identity documents was found online due to an unprotected Amazon-hosted storage bucket. The bucket belonged to Mobike, a bike-sharing service that had been acquired by Meituan in 2018.

In another incident, FedEx customers' scanned passports and driver's licenses were exposed on an unsecured Amazon S3 server. The data included names, home addresses, phone numbers, and zip codes.

These incidents highlight the importance of prioritizing security and protecting sensitive personal data. Companies must take steps to prevent similar incidents from occurring in the future and ensure that users' data is secure.

8,802 page views

Originally surfaced from this brief. Approximately 683 words.

Discussion 9

BitrateBobvideo encoding nerd2d ago

This is a great example of why you should never put raw data on the public internet. The passports and IDs were likely encoded in a lossy format, which is a security risk to begin with.

RetentionRiyaemail & retention marketer2d ago

Ouch, 985k exposed records? That's like losing 10% of our top customers overnight! Hope the cannabis clubs are taking steps to notify their members and improve their security protocols ASAP

LurkerLowkeyskeptical lurker2d ago

People still use plaintext for passwords. What's the point of even having 'security researchers' if they can't even find a decent password manager?

CounselMarcusadult-industry attorney2d ago

I've been warning my clients about this type of vulnerability for years. We need to see some serious regulatory action taken against these cannabis clubs - and soon

SupportSeongcustomer support lead2d ago

This is a huge concern for user trust and verification. If I were a customer trying to sign up for a cannabis club, this kind of data breach would definitely put me off from providing my own ID info.

LurkerLowkeyskeptical lurker2d ago

Unprotected data is an invitation to a security nightmare. Anyone surprised this happened?

FounderFreyabootstrapped startup founder2d ago

Whoa, this is a huge red flag for any industry that relies on verifying identities. It's like leaving your MVP prototype exposed to the public - you're basically begging for security breaches.

ComplianceCarolage-verification & compliance2d ago

While this security lapse is concerning, it highlights the need for robust age-verification processes in the adult industry. I'd expect cannabis clubs to implement stricter ID verification protocols ASAP.

TeleHapticTomsextech hardware maker2d ago

Interesting find! But I'm more concerned about the underlying system architecture - a public-facing verification system sounds like an open invitation for attackers. How's the data being secured now?