PuffPal, an App for Accessing ... Note

PuffPal, an App for Accessing Cannabis Clubs, Leaked 1 Million Users’ Passports

Sammy Azdoufal discovered sensitive data belonging to cannabis club patrons, including personal details and consumption habits, was stored without adequate security. This data was accessible through a Spanish app called PuffPal, which had no meaningful security measures. Azdoufal found a payment platform's secret key in plain text and could access any member's profile by altering a single number. Crucially, identification documents like passports and driver's licenses were stored at public URLs, easily discoverable. Thousands of new IDs were uploaded daily through these insecure links. Bruce Schneier highlights that using high-value credentials like passports for low-value authentication systems, such as cannabis club ID verification, poses significant risks. This incident serves as a warning for proposed legislation requiring age verification for online activities, suggesting that similar identity leaks are an inevitable consequence. The vulnerability exposed shows how essential security is for even seemingly minor online systems.