A security researcher recently discovered that nearly 985,000 passports, driver's licenses and other photo IDs and related personal information were exposed on the public Internet with almost zero protection by a company that provides software services for Spanish cannabis clubs. Any hacker with average technical skills can easily obtain them. This batch of data involves users from all over the world, including about 30,000 U.S. visitors, as well as some celebrities. Their identity information, personal selfies, contact information, consumption habits and other private information registered at cannabis clubs in Spain and other places may have been quietly exposed.
The critical flaw was discovered by security researcher Sammy Azdoufal, who has previously disclosed serious security flaws in several sweepers, baby monitors and security cameras. He said that through a simple script scan, he discovered more than 985,000 ID photos on the Internet, the vast majority of which came from Spain's cannabis club membership registration system. These files are stored under extremely simple, predictable public URLs without any passwords or access controls, allowing any user's ID image to be viewed as long as the link format is known.
The cannabis clubs themselves do not directly operate the relevant systems, but instead use software and cloud services provided by an Irish company called Cannabis Club Systems (CCS), formerly known as Nefos Solutions. CCS provides sales, finance and admission verification systems for clubs: reception staff will upload users’ passport or ID photos and selfies to the Nefos cloud for quick identity verification in the future. In the traditional model, members have to present physical IDs every time they enter the store, but this system allows staff to call up cloud data for comparison. Some clubs also use a mobile app called PuffPal to speed up the admission process by scanning QR codes.
However, when Azdoufal decompiled and analyzed the PuffPal application, he found that Nefos's overall security design was almost useless. Not only is the key to the Stripe payment platform embedded in clear text within the app, but the user profile interface only needs to modify a single number to access the complete profile of different members, which may include sensitive data such as phone numbers, home addresses, passport information, and personal cannabis consumption preferences. What's more serious is that the system saves ID photos at a public address like "https://ccsnubev2.com/v8/images/{club}/ID/{user_id}-front.jpg" without any token or permission verification, and clubs are still uploading about 5,000 new ID photos in this way every day.
Azdoufal also discovered that a club-facing management backend was also exposed on the public network, and that the weak passwords used for club accounts could be cracked within minutes using brute force on modern GPUs. Private messaging between clubs and members via the PuffPal app has also proven to be a potential leak risk. In his view, this practice of "throwing an entire vault's keys on the street" allows any intentional attacker to steal and resell these highly sensitive identity data in batches, causing unpredictable damage to the parties concerned.
After media intervention, Nefos finally began to take concrete action. According to Azdoufal’s latest test results on June 10, the company has announced that it will temporarily shut down the entire PuffPal system and its vulnerable API. Passport pictures and personal data currently appear to have been hardened and can no longer be directly accessed by the outside world through previous methods. The company stated that it has notified the local regulatory agencies of the situation, will fully repair the problem and bear the liability for fines, and will also explain the incident to users.
Nefos co-founder Andreas Nilsen said in an interview that the company has contacted the Irish Data Protection Commission (DPC) about the data breach, which was also confirmed by a DPC spokesperson via email. Nilsen said they "must provide notice to all potentially affected persons" and hoped the DPC would provide guidance on how companies can comply with this obligation. He also claimed that there is currently no evidence that outsiders other than Azdoufal have accessed the data.
However, judging from the timeline, Nefos' response to this serious risk was obviously delayed. After Azdoufal proactively contacted the company, Nefos made no substantial response until five days after the media indicated that it would report the matter. During this period, the company was more "patching" to seal local vulnerabilities to avoid affecting business operations, rather than fundamentally stopping systems with security risks.
What’s even more ironic is that in early June this year, when Azdoufal informed reporters that the passport photo seemed to have been locked, the reporter unexpectedly discovered that Azdoufal’s own passport image was publicly visible online again. The reason is that although Nefos temporarily restricted image access, it did not immediately stop the club from using the PuffPal app. Customers of the latter complained that "image loading is not as convenient as before", prompting Nefos to relax access restrictions again. Nilsen argued that the images were blocked about "70 percent of the time" during their conversations with researchers and the media, but it turned out that the company clearly favored the latter between protecting user privacy and maintaining customer experience.
On June 9, Azdoufal discovered that although Nefos had added access tokens for files such as passport images, other data in the user profile was still "streaking". A hacker only needs to enter a request like "curl -X POST https://ccsnubev2.com/v8/api/userProfile.php -d 'user_id=[number]&[club name]=test&language=en'" in the command line to obtain a complete set of personal information including passport number, phone number, email address and home address. After being reminded again by researchers and the media, Nefos completely blocked this interface.
In the face of doubts, Nilsen admitted that the ultimate responsibility lies with the company, but also passed part of the blame to the outsourcing team. He named an outsourcing company called 9Series, saying it was responsible for developing the PuffPal application and related APIs, and it was these interfaces that allowed a large amount of unprotected data to be transferred directly from Nefos's user database to the public network. As of press time, 9Series has yet to respond.
Now, with PuffPal being shut down, Nefos is notifying cannabis clubs via email that their members will no longer be able to use QR codes to enter. However, the club can still call relevant identity information from the Nefos server for on-site verification by scanning the member's RFID card or entering the phone number. Nilsen stressed that the company would not relaunch the insecure PuffPal just because clubs requested it, but plans to launch a new app in the coming months after terminating its partnership with 9Series. He promised that the new system will be audited by independent security researchers and will be put back into use only after it is confirmed to be "100 percent safe."
Under the European Union's General Data Protection Regulation (GDPR), companies must report a data breach to regulators within 72 hours of it occurring or risk hefty fines. Nilsen also acknowledged that the company did not complete the disclosure within the legal time limit and therefore "will certainly be subject to some form of penalty." Just last month, a website called "UK Visa Portal" also attracted public attention for exposing at least 100,000 passports and selfies to guessable URLs. Industry insiders are worried that similar incidents are accumulating, exposing the negligence and shortsightedness of more and more companies in handling highly sensitive identity information, and once again sounding the alarm on data security.