Recently, the WiFi Finder app, one of many hotspot searching applications went offline after a security incident. The app left 2 million WiFi passwords exposed publicly.
WiFi Finder App Exposed WiFi Passwords
The WiFi Finder app on Android publicly exposed more than 2 million WiFi network passwords with the app having exposed passwords shared with it by the WiFi owners.
The incident first surfaced online after a researcher Sanyam Jain from GDI Foundation contacted TechCrunch to inform of the exposed data. As observed, the exposed data included much more than mere passwords.
“Each record contained the Wi-Fi network name, its precise geolocation, its basic service set identifier (BSSID) and network password stored in plaintext.”
Though the exposed data didn’t include contact details of the WiFi owners, the geolocation of the WiFi network could allow for users to locate a home with the exposed key.
According to the stats on its Google Play Store link (cached), the “WiFi Finder – connect to hotspots” had more than 100,000 downloads. The app could let the users upload their WiFi passwords to its database. This could subsequently allow other users to use these WiFi networks when needed.
Since the app didn’t ask for permission from the network owners to link another user, it subsequently allowed unauthorized access to the network. A potential attacker could exploit this feature to gain access to the router and execute malicious activities as desired.
Shady Developers Went Offline
Upon noticing the exposed data, researchers tried contacting the developers, supposedly based in China. However, upon failing to do so, they contacted DigitalOcean. Acknowledging their report, the host service took down the unsecured database.
After this report, the app went offline, and now the Play Store link for this app displays nothing. The removal of this app seemingly related to the removal of the developers ‘Proofusion’ as well, since they only had this single app on the Play Store. Moreover, the GitHub link leading to the Privacy Policy of this app also shows nothing.