TORONTO -- A prominent Canadian medical marijuana company took weeks to fix a website security weakness that could have allowed hackers to access a patient's sensitive information.
In an interview this week, the chief technology officer of said the changes were made late last month ahead of plans to roll out a complete reworking of the flawed application, which had been put in place in January.
The vulnerability allowed anyone to confirm whether a particular email address was registered with Namaste. More significantly, the website allowed an unlimited number of password attempts instead of locking a user out after three failed log-ins as is usually done.
"We've basically removed the ability to perform brute force attacks -- made it more difficult, really," Chad Agate, the chief technology officer of the Toronto-based company, said. "We do work to resolve those technical issues."
Medical marijuana websites typically request personal information that goes well beyond name, address, age and a copy of photo ID. Some require physical information such as height and weight, along with answers to questions such as whether the applicant has suffered from schizophrenia and what medications they take.
The patched Namaste program, which now returns a "obfuscated" generic message in terms of user names and locks out a user after three failed log-ins, was implemented weeks after a user alerted the company to the problem and The Canadian Press began asking questions about the issue.
Kurtis Cicalo, an Ottawa-based website developer and consultant, said a sophisticated hacker could have accessed a Namaste user's account in seconds.
While there is no evidence intruders did in fact obtain or misuse users' medical data, Cicalo said the security flaw was not unique to Namaste, which among other things bills itself as operator of the largest global cannabis e-commerce platform.
"My worry is that these sites have been active for months and although I'd like to believe I'm the first person to notice such obvious security flaws, I have to think I'm not, Cicalo said. "This one was super easy to find. Anyone could have found it. It's so basic, it should never have happened."
Cicalo also said he was able to access the site even using a computer address that appeared to originate from abroad.
"If somebody is accessing medical cannabis records from China, it should be a red flag," said Cicalo, who wondered whether companies cut security corners in their rush to jump on the money-making cannabis bandwagon. "There's a very basic lack of security on pretty much every company site."
Cicalo said the officer of the federal privacy commissioner suggested he contact the companies involved and only file a personal complaint as a last resort.
Eugene Ocapalla, a lawyer who teaches drug policy at the University of Ottawa, said users, sellers and those in between have to be more aware of privacy concerns related to pot. Buying marijuana for medical purposes, he said, carries a potential double whammy.
"If somebody's information gets taken from a website, you're learning something about the person's health condition which for one thing is generally considered very sensitive information," Ocapalla said. "On top of that, you're talking about a drug that is still much maligned in many circles, including by some foreign jurisdictions, most notably the United States."
Part of the problem facing web developers is the need to balance ease of use against security concerns. As a rule, the more secure a site, the harder it is for the ordinary user to navigate.
"On password complexity, we had a lot of customers pushing back," Agate said. "We try to find the best balance."
Cicalo said he understood the user-friendly vs. security debate, but said he was pleased Namaste, which says it has more than 30 websites in more than 20 countries under various brands, had finally fixed a "major vulnerability."