A website run by the Nevada state government has been pulled offline after it was discovered a vulnerability was leaking personal details of thousands of people applying to sell medical marijuana.
Nevada’s Department of Health and Human Services confirmed that the personal details — including addresses and social security numbers — of more than 11,000 applicants were accessible by simply typing in the correct URL.
In total, details of some 11,700 people were available for anyone to see using an easily discovered address. There are several concerns here, not least of which is that a government-run website could be so fantastically insecure. What is all the more concerning is the sheer amount of information that was held insecurely about applicants; in each case there was an eight-page document packed with personal details.
As noted by CSO: “The flaw enables anyone with access to a legitimate application, or knowledge of an application’s URL, to view thousands of completed forms by simply altering the ID number.”
The online portal is down at the moment, and a message on the site advices applicants of this:
ONLINE AGENT PORTAL TEMPORARILY DOWN
Our apologies, the online agent portal is temporarily down. It will be restored as soon as possible.
ZDNet has confirmed with at least one applicant that the data that was accessible is genuine. Seemingly wanting to downplay the vulnerability, a spokesperson for the Nevada Department of Health and Human Services told the site that the leak represented just a “portion” of one of multiple databases.
Image credit: Brian Goodman / Shutterstock