Newspaper article The Canadian Press

Medical Pot Company Plugs Web Security Flaw but Privacy Concerns Persist

Newspaper article The Canadian Press

Medical Pot Company Plugs Web Security Flaw but Privacy Concerns Persist

Article excerpt

Medical pot company plugs web security flaw


TORONTO - A prominent Canadian medical marijuana company took weeks to fix a website security weakness that could have allowed hackers to access a patient's sensitive information.

In an interview this week, the chief technology officer of Namaste Technologies said the changes were made late last month ahead of plans to roll out a complete reworking of the flawed application, which had been put in place in January.

The vulnerability allowed anyone to confirm whether a particular email address was registered with Namaste. More significantly, the website allowed an unlimited number of password attempts instead of locking a user out after three failed log-ins as is usually done.

"We've basically removed the ability to perform brute force attacks -- made it more difficult, really," Chad Agate, the chief technology officer of the Toronto-based company, said. "We do work to resolve those technical issues."

Medical marijuana websites typically request personal information that goes well beyond name, address, age and a copy of photo ID. Some require physical information such as height and weight, along with answers to questions such as whether the applicant has suffered from schizophrenia and what medications they take.

The patched Namaste program, which now returns a "obfuscated" generic message in terms of user names and locks out a user after three failed log-ins, was implemented weeks after a user alerted the company to the problem and The Canadian Press began asking questions about the issue.

Kurtis Cicalo, an Ottawa-based website developer and consultant, said a sophisticated hacker could have accessed a Namaste user's account in seconds.

While there is no evidence intruders did in fact obtain or misuse users' medical data, Cicalo said the security flaw was not unique to Namaste, which among other things bills itself as operator of the largest global cannabis e-commerce platform.

"My worry is that these sites have been active for months and although I'd like to believe I'm the first person to notice such obvious security flaws, I have to think I'm not, Cicalo said. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.