The WiFi Finder, an Android application that is installed by more than 100.000 users in Google Play, has leaked over 2 million network passwords Wi-Fi.
Although the application is designed to detect and connect to public Wi-Fi hotspots near the user, it also has a feature that allows users to share them hotspots that they find with others. Here are the problems of security and privacy.
To make it easier for users not only to identify and connect to the nearest Wi-Fi hotspot, the WiFi Finder includes a feature that allows users to load network passwords.
The app, which appears to be of Chinese origin, encourages users to share this information and become a member of a Wi-Fi community. App description, which is still available for download from Google Play, asks users to "be social and share the Wi-Fi hotspots."
According to security researcher Sanyam Jain, a member of the GDI Foundation, the database resulting from these transplants was "open and unprotected, allowing anyone to access and download the content. "
What information has been exposed?
The exposed database did not contain contact information with the Wi-Fi network owners whose data was included, but it included Wi-Fi network names, exact geographic location and passwords stored in simple text. The worst case scenario is that although the application developer claims the app only provides passwords for public hotspots, a review of the data showed countless home Wi-Fi networks.
What does this mean?
There seem to be three main issues here:
- Users have accidentally uploaded their own Wi-Fi network passwords, prompted by the "share Wi-Fi" message in the app.
Application developers have failed to secure the database where all of this data is stored and failed to meet basic security rules, such as never storing unencrypted passwords.
- Because the application does not distinguish between public access points and home Wi-Fi networks, the latter are vulnerable to a possible hacking attack.
It should be noted that while there is the possibility of an attack, there are no indications of violated systems in this case. The database is now offline
What should you do now?
If you have not downloaded and installed the WiFI Finder, there is no real reason to worry. There is only cause for concern if you share your information Wi-Fi using the send function in the community. If you have, then you need to change your Wi-Fi password immediately. In general, this incident should be seen as a warning about why downloading applications from unknown and therefore unreliable developers is dangerous.