App to find Wifi hotspots leaked over 2 million passwords

An Android app that allows users to find Wifi hotspots has leaked the passwords of over 2 million WiFi routers. According to security researchers, the login details were visible as plain text. This is the WiFi Finder app, which has been downloaded more than 100,000 times from Google Play.

The app not only helps users to find Wifi hotspots, but also provides login details of those hotspots, provided the owners have shared them. This is precisely where the security problem lies, according to TechCrunch. Sanyam Jain, security researcher and member of the GDI Foundation, discovered that the database that contained those passwords was on an unsecured server.

The leaked data did not contain contact information for the owners of the affected WiFi networks, but rather the geolocation and the basic service set identifier (BSSID). TechCrunch says it tried for two weeks to contact the developer of the app, who according to them is located in China. However, it did not succeed.

Eventually, the website contacted DigitalOcean, which hosts the app. DigitalOcean took the database offline the next day. A company spokesperson informs the user that they have been notified.

Residential areas

The app developer states that the app only provides passwords for public hotspots. But according to TechCrunch, the data shows that there are numerous private Wifi networks. The geolocation of each WiFi network on a map often showed networks located in residential areas, where there are no companies.

In addition, the app does not require users to obtain permission from the network owner. This also makes Wifi networks vulnerable to unauthorised access. With network access, hackers may be able to adjust the router settings to redirect users to rogue websites, by adjusting the DNS server.

Also, attackers can read the unencrypted traffic that goes over the wireless network, allowing them to steal passwords and other sensitive information.