The app is called WiFi Finder – connect to hotspots.
WiFi Finder, a popular and widely downloaded hotspot finder app designed for Android devices has been identified to be exposing passwords of WiFi networks for over two million networks.
The exposed database was identified by GDI Foundation member and security researcher Sanyam Jain. According to Jain, the database contains about 2 million plaintext network passwords from across the globe, but the majority of them are located in the US. Moreover, all are accessible and downloadable by the public for free.
[1/3] Found a MongoDB hosted on Digital Ocean containing Wifi spot name, BSSID and as well as passwords too. Around 2 million records were there as well as lat and long are also there where the wifi-hotspot is located.
— S. (@HeliumNitro) April 12, 2019
The app has already been downloaded by tens of thousands of users. It basically lets users search for WiFi networks available within the nearest vicinity. It also lets them upload a WiFi network password on the app database so that others can use it as well.
This particular data was exposed to public view because it was poorly secured. Apart from network passwords, the database also contains sensitive information like the SSID of the network and its accurate geolocation. Although information about the network owners is not part of the database since the geolocation is exposed, it won’t be too difficult for anyone to locate the owner on a map.
The DB hosted is vulnerable to poodle attack, Jain tweeted.
Jain immediately reported the findings to TechCrunch and the company tried to contact the app’s China-based developer Proofusion. When no response was received even after two weeks of trying, TechCrunch informed the host DigitalOcean after which the database was finally taken down.
At the time of publishing this article, “WiFi Finder – connect to hotspots” was removed from Play Store (cache version) however while setting it up, the app requested for permission to access the stored list of WiFi passwords on the device and if the user granted permission, it accessed the credentials and transferred them to the database for others to benefit from it.
The developer claimed that the app stores public hotspot passwords only but when the data was reviewed it showed a large number of home WiFi network credentials. These credentials can be used by an attacker to change route settings and redirect unsuspecting users to infected websites simply by modifying the DNS server. Furthermore, the attacker can also access unencrypted traffic passing through the wireless network and steal their data including passwords.
WiFi Finders is yet another example of how easy it is for an app to invade our privacy and compromise our network’s security. Perhaps, there is no such app that you can trust nowadays even not the ones available on Google’s official Play Store.
It is, however, suggested that while installing a new app on your device, you must carefully assess the permissions it requests for as most of the times these apps require access to full contact list, locations, phone numbers and email IDs of the user as well as his/her friends, family, colleagues, and folks along with having the ability to modify and delete phone’s data.