An Irish software firm managing membership of cannabis social clubs left more than a million member records and roughly 985,000 identity-document photos sitting on a server that required no password, according to a security researcher who extracted the data himself after joining a club in Barcelona and decompiling its app.
The researcher, Sammy Azdoufal, said the backend platform, CCS Nube, built by Nefos Solutions, assigned members sequential ID numbers and returned full profiles to anyone who sent a basic web request. He counted 1,082,680 member records, 923,543 passport or national-ID numbers, and 985,841 ID photographs stored at predictable, unauthenticated URLs. Profiles also held home addresses, phone numbers, dates of birth, monthly consumption figures and strain preferences.
The case was documented by Sean Hollister of The Verge, whose reporting offers the fullest account of the exposure and the company's response. Hollister found that clubs were uploading about 5,000 new ID photos a day, and that Nefos briefly relocked then reopened the images after clubs complained. Co-founder Andreas Nilsen told The Verge the company was shutting down PuffPal, parting with the outside developer, and expected a penalty.
Azdoufal said the optional PuffPal app was only his entry point. Members enrolled at a front desk or web portal were in the same database whether or not they installed anything. He also found a Stripe payment key and Firebase credentials hardcoded in the app, plus private member-to-club messages readable across accounts. He reported the findings to Nefos on April 22 and received no reply for 26 days, past the 72-hour breach-notification window the EU's General Data Protection Regulation requires.
Hurrah for predictable URL exploits, sometimes framed as "forceful browsing" but really just "going to the web site." And passports are now a regular item exposed by similar incidents. An unofficial UK visa portal left at least 100,000 passports and selfies open in a misconfigured cloud bucket—a taste of what's to come with all the age-gated identity verification going on there. To upload government-issued ID is to create a valuable resource for any crook wanting to take out a loan, clone a SIM-card or pursue any of a variety of criminal shenanigans in your name or against your interests. For members holding passports from countries where cannabis use is criminalized, these records will also be interesting to the authoritie there.
Nearly a million passports and photo IDs were left unprotected on the public internet [The Verge]