PuffPal, an App for Accessing Cannabis Clubs, Leaked 1 Million Users’ Passports

Sean Hollister, writing for The Verge (gift link):

If you’ve visited a cannabis club in Spain, [Sammy] Azdoufal says, chances are your photo ID was among them — and possibly your phone number, address, your favorite strains of cannabis, and how much you consumed each month while there. Azdoufal says celebrities are in the database, too, and visitors from all over the world, including 30,000 from the United States. “They have famous people,” says Azdoufal. “People who don’t want everyone to know they smoke weed.”

But when Azdoufal decompiled that PuffPal app, he explains in his report, he discovered that Nefos had no meaningful level of security. He discovered a secret key for the Stripe payments platform sitting inside the app in plain text. He discovered he could pull up any member’s profile just by changing one number. If those profiles included their phone number, home address, passport, and weed preferences, he now had access to them too.

And then, he discovered that those passports, drivers licenses, and photo IDs were stored at public URLs as simple as this: https://ccsnubev2.com/v8/images/_{club}/ID/{user_id}-front.jpg

Those clubs were uploading 5,000 new photo IDs with these insecure URLs every day, Azdoufal tells me.

Azdoufal’s full report on the leak, including the ease with which he discovered it, is worth reading.

Bruce Schneier:

Note what happened. A high-value credential — a passport — was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it’s the low-value system that got hacked, putting the high-value credential at risk.

Access to cannabis clubs has to be age verified. The security ought not be shit, but age verification is part of the industry. But now think about the legislation being proposed and passed around the world requiring age verification for just doing anything online. These sort of identity leaks are the inevitable result.

Sunday, 28 June 2026