Millions of consumers treat Weedmaps like the Yelp for pot, relying on the Irvine company as their definitive guide to marijuana dispensaries, varieties and doctors.
But a key feature — user reviews of pot businesses — may be tainted by thousands of potentially fraudulent comments, a flaw in the company’s software revealed.
Reviews on the site are pseudonymous, and visitors reasonably expect that each is written by a unique customer. But data that Weedmaps mistakenly leaked suggests a large proportion of a glowing remarks come from individual users leaving multiple reviews of a single business.
Of 598 businesses examined by the Los Angeles Times and a software developer, 70% had at least one batch of reviews originating from the same IP address.
The repetition is suspicious because IP addresses are typically associated with a single device for up to years. One address contributing several reviews for the same dispensary raises questions about their validity.
Weedmaps Media Inc. President Chris Beals disputed that his company’s user-generated ratings lead consumers to improper conclusions. The firm also has virtual tours and menus, including sometimes lab-verified chemistry details of items, whose accuracy he says is more important to customers.
“The reviews are definitely part of the picture,” Beals said. “We don’t want to neglect anything, but to be honest, it’s critical to have accurate menu and lab information. That’s the number one complaint.”
A separate analysis looking at the text in reviews estimates that 62% of all dispensary comments on Weedmaps are fake.
Beals said that the percentage of problematic reviews is much lower and that the company will catch more questionable submissions as it develops automated tools to help its 15 moderators.
In some cases, multiple reviews from a single IP address may be explained by someone reviewing different menu items separately or several roommates critiquing the same business.
SIGN UP for the free California Inc. business newsletter »
Weedmaps stopped exposing reviewers’ IP addresses in its publicly accessible code Friday, the day after The Times questioned the security lapse but weeks after a person speaking on the condition of anonymity notified the company about the issue.
The lax design and policing should concern Weedmaps users, technical experts said. Though Internet companies often store IP addresses to help filter spammers or robots that leave fake posts, revealing them publicly poses a threat.
An IP address isn’t enough on its own to definitively identify a user, but the string of numbers could be the first clue to unmask marijuana users. It can be enough to match a physical address, hack into someone’s Wi-Fi network or lure them into a cyberattack, computer security experts said.
“It’s personal information that should be stored in a secure way,” said Andrew Komarov, chief intelligence officer at data security firm InfoArmor Inc.
A person close to Weedmaps described the long-known bugs as symptomatic of wider growing pains. Like many companies, Weedmaps has experienced a rocky transition from a self-funded, loosely organized start-up to an industry leader with more than 200 employees, middle management and increased controls. It has shred through several technology leaders and only recently beefed up its engineering team.
“The foundation cracked, but they kept building,” said the person, speaking on the condition of anonymity. Now, “trying to fix the foundation with a house on top of it is a huge undertaking.”
The technology issues also show how operating on the fringes hampers the industry. Marijuana use remains illegal under federal law, against many employment contracts and a sensitive discussion for many. Such concerns give users reason to stay in the shadows. The taboo may have turned the services into an afterthought for security researchers who scour the Internet for software bugs. And stigmas kept away potential software engineers and investors until recently, Beals said.
Launched eight years ago by a marijuana advocate paired with a young, pot-smoking software programmer, Weedmaps is crucial for marketing medicinal and recreational marijuana operations. Facebook and Google ban ads that promote drugs. Yelp allows dispensary ads, but doesn’t yet have features tailored to them, a spokeswoman said. That leaves 6-year-old Seattle start-up Leafly as Weedmaps’ chief rival.
Weedmaps has long been controversial. Co-founder and Chairman Justin Hartfield once called the medical marijuana industry a “farce” in which he was complicit. In regions with regulatory gray areas, Weedmaps maintains listings of unlicensed businesses, causing a mix of delight and frustration for dispensaries.
But the closely held company remains a megaforce, generating millions of dollars in revenue annually from charging businesses for listings, prominence or extra features. Profits have gone into event sponsorship, pot legalization campaigns, producing YouTube videos and feature development.
At The Times’ request, software developer Norman Scoullar scrubbed the listings of about 300 top dispensaries and 300 top delivery services using a tool he launched, Weed Blacklist. Forty-three businesses had more than 100 questionable reviews because of IP address commonality. For most, about 20% of reviews came from a single batch of users.
Scoullar said he plans to launch a rival because Weedmaps isn’t adequately addressing the potential ratings inflation.
“Without patients that trust the industry, there is no market for dispensaries or listing services and people slowly go back to the black market,” he said.
Fakespot, a New York City start-up that picks out suspicious Amazon.com and Yelp reviews based on text and user analysis, found problems with 62% of Weedmaps reviews. Fakespot Chief Strategy Officer Ming Ooi called that nearly an F-grade by online shopping standards, given that the service flags 40% of Amazon reviews.
Using data that Scoullar gathered, Fakespot discovered that a significant amount of reviews originated from three universities: USC, UC Irvine and Cal State Long Beach. Looked at critically, that could be a sign of a program that incentivized college students to leave reviews, Ooi said. Beals described it as a testament to the service’s popularity among millennials.