Medical cannabis company plugs web security flaw but privacy concerns persist
TORONTO A prominent Canadian medical marijuana company took weeks to fix a website security weakness that could have allowed hackers to access a patient’s sensitive information.
The chief technology officer of Namaste Technologies said the changes were made late last month ahead of plans to roll out a complete reworking of the flawed application, which had been put in place in January.
The vulnerability allowed anyone to confirm whether a particular email address was registered with Namaste. More significantly, the website allowed an unlimited number of password attempts instead of locking a user out after three failed log-ins as is usually done.
“We’ve basically removed the ability to perform brute force attacks — made it more difficult, really,” Chad Agate, the chief technology officer of the Torontobased company, said. “We do work to resolve those technical issues.”
Medical marijuana websites typically request personal information that goes well beyond name, address, age and a copy of photo ID. Some require physical information such as height and weight, along with answers to questions such as what medications applicants take.
The patched Namaste program, which now returns a “obfuscated” generic message in terms of user names and locks out a user after three failed log-ins, was implemented weeks after a user alerted the company to the problem and The Canadian Press began asking questions about the issue.
Kurtis Cicalo, an Ottawa-based website developer and consultant, said a sophisticated hacker could have accessed a Namaste user’s account in seconds.
There is no evidence intruders did obtain or misuse users’ medicaldata.