Skip to main content

Part of Cannabis and consumers

A prominent Canadian medical marijuana company took weeks to fix a website security weakness that could have allowed hackers to access a patient’s sensitive information.

In an interview this week, the chief technology officer of Namaste Technologies said the changes were made late last month ahead of plans to roll out a complete reworking of the flawed application, which had been put in place in January.

The vulnerability allowed anyone to confirm whether a particular email address was registered with Namaste. More significantly, the website allowed an unlimited number of password attempts instead of locking a user out after three failed log-ins as is usually done.

Story continues below advertisement

“We’ve basically removed the ability to perform brute force attacks — made it more difficult, really,” Chad Agate, the chief technology officer of the Toronto-based company, said. “We do work to resolve those technical issues.”

Medical marijuana websites typically request personal information that goes well beyond name, address, age and a copy of photo ID. Some require physical information such as height and weight, along with answers to questions such as whether the applicant has suffered from schizophrenia and what medications they take.

The patched Namaste program, which now returns a “obfuscated” generic message in terms of user names and locks out a user after three failed log-ins, was implemented weeks after a user alerted the company to the problem and The Canadian Press began asking questions about the issue.

Kurtis Cicalo, an Ottawa-based website developer and consultant, said a sophisticated hacker could have accessed a Namaste user’s account in seconds.

While there is no evidence intruders did in fact obtain or misuse users’ medical data, Cicalo said the security flaw was not unique to Namaste, which among other things bills itself as operator of the largest global cannabis e-commerce platform.

“My worry is that these sites have been active for months and although I’d like to believe I’m the first person to notice such obvious security flaws, I have to think I’m not, Cicalo said. ”This one was super easy to find. Anyone could have found it. It’s so basic, it should never have happened.“

Cicalo also said he was able to access the site even using a computer address that appeared to originate from abroad.

Story continues below advertisement

“If somebody is accessing medical cannabis records from China, it should be a red flag,” said Cicalo, who wondered whether companies cut security corners in their rush to jump on the money-making cannabis bandwagon. “There’s a very basic lack of security on pretty much every company site.”

Cicalo said the officer of the federal privacy commissioner suggested he contact the companies involved and only file a personal complaint as a last resort.

Eugene Ocapalla, a lawyer who teaches drug policy at the University of Ottawa, said users, sellers and those in between have to be more aware of privacy concerns related to pot. Buying marijuana for medical purposes, he said, carries a potential double whammy.

“If somebody’s information gets taken from a website, you’re learning something about the person’s health condition which for one thing is generally considered very sensitive information,” Ocapalla said. “On top of that, you’re talking about a drug that is still much maligned in many circles, including by some foreign jurisdictions, most notably the United States.”

Part of the problem facing web developers is the need to balance ease of use against security concerns. As a rule, the more secure a site, the harder it is for the ordinary user to navigate.

“On password complexity, we had a lot of customers pushing back,” Agate said. “We try to find the best balance.”

Story continues below advertisement

Cicalo said he understood the user-friendly vs. security debate, but said he was pleased Namaste, which says it has more than 30 websites in more than 20 countries under various brands, had finally fixed a “major vulnerability.”

Available now: Cannabis Professional, the authoritative e-mail newsletter tailored specifically for professionals in the rapidly evolving cannabis industry. Subscribe now.

Report an error
Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • All comments will be reviewed by one or more moderators before being posted to the site. This should only take a few moments.
  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed. Commenters who repeatedly violate community guidelines may be suspended, causing them to temporarily lose their ability to engage with comments.

Read our community guidelines here

Discussion loading ...

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.
Cannabis pro newsletter