Agent applications for establishments looking to operate within Nevada’s medical marijuana program have been exposed to the public, enabling anyone to view an applicant’s personal details.
The exact cause of the data breach is unknown, but similar incidents have been the result a configuration error. The flaw enables anyone with access to a legitimate application, or knowledge of an application’s URL, to view thousands of completed forms by simply altering the ID number.
According to the Nevada Division of Public and Behavioral Health (DPBH), only those designated by the medical marijuana establishments and DPBH have access to the agent registration system.
“All agent card registration is done electronically through a web-based interface provided by the Division. The designee and the Division can access agent card information on the site. Only MME designees have login access to the system. The designees manage all agent card business for their establishment(s) on the secure agent card website with special access,” the DPBH website explains.
The ability to view all of the collected applications on the portal, given these access restrictions, signifies a serious problem that's exposed those seeking agent status in the industry.
As of Wednesday morning, the ID numbers stop at 11,771, giving a good indication of the number of people exposed by the breach. A Google search for identifiers (based on the domain and application formatting) revealed an indexed application, which exposes the flaw to the public. As such, it’s possible for anyone enumerating the ID number to scrape the application data.
The applications contain a prospective agent’s name, birth location, date of birth, and Social Security Number, as well as their driver's license details (weight, eye color, hair, ID number, etc.) phone number, physical address, and mailing address if different. The applications also include a form needed for fingerprinting, which contains the same personal information.
Salted Hash was made aware of this incident via an email from Justin Shafer, a security researcher working in the dental industry. Shafer is best known for his disclosure of security problems with software provided by Henry Schein.
His security work got him into hot water last summer, as he was raided by the FBI after discovering sensitive health information on an anonymous FTP server exposed to the public.
After being notified about the security problem, the company behind the software responsible for the FTP server (Patterson Dental) claimed Shafer had exceeded authorized access and contacted the FBI.
Salted Hash has reached out to the Nevada DPBH for comments. We’ve asked for details on why these agent applications are being exposed in such a way, and information on when the problem started. We've also inquired as to when the division plans to start notifications.
We’ll update this post should they respond.
Update:
While no one has contacted Salted Hash directly, ZDNet's Zack Whittaker is reporting that a state spokesperson confirmed the vulnerability and that notifications would be happening within days.