A hotspot finder app for Android exposed over two million Wi-Fi network passwords, according to a report by TechCrunch.
The app, named “WiFi Finder” and downloaded by more than 100,000 users, allowed users to search for Wi-Fi networks in their nearby area and upload Wi-Fi network passwords from their devices to its database.
According to TechCrunch, the app database leaked more than two million network passwords from its “exposed and unprotected” database. Each record contained the Wi-Fi network name, its precise geolocation, its basic service set identifier (BSSID) and network password stored in plain text.
The database was first discovered by Sanyam Jain, a security researcher and a member of the GDI Foundation, according to TechCrunch. TechCrunch initially attempted to contact the developer, believed to be based in China, but were unsuccessful. They then reached out to the host, DigitalOcean, which took down the database within a day.
While the app developer claims the app only provides passwords for public hotspots, the data apparently showed “countless” home Wi-Fi networks. “The exposed data didn’t include contact information for any of the Wi-Fi network owners, but the geolocation of each Wi-Fi network correlated on a map often included networks in wholly residential areas or where no discernible businesses exist,” TechCrunch stated in the report.
“The app doesn’t require users to obtain the permission from the network owner, exposing Wi-Fi networks to unauthorized access. With access to a network, an attacker may be able to modify router settings to point unsuspecting users to malicious websites by changing the DNS server, a vital system used to convert web addresses into the IP addresses used to locate web servers on the internet. When on a network, an attacker also can read the unencrypted traffic that goes across the wireless network, allowing them to steal passwords and secrets,” the report added.