Skip to content
Naked Security Naked Security

Hotspot finder app blabs 2 million Wi-Fi network passwords

If you used WiFi Finder, your passwords to both public and private networks have been left online in an unprotected database.

This should come as no surprise, but it still sucks big-time: thousands of people who downloaded a random, very popular app called WiFi Finder found that it got handsy with users’ own home Wi-Fi, uploading their network passwords to a database full of 2 million passwords that was found exposed and unprotected online.

The leaked database was discovered by Sanyam Jain, a security researcher and a member of the GDI Foundation who reported his find to TechCrunch. Jain and TechCrunch’s Zack Whittaker spent more than two weeks fruitlessly trying to contact the developer, who they believe is based in China.

Receiving no reply, they instead turned to the host, DigitalOcean, which yanked the database within a day of their contact.

According to the app’s Google Play listing, it’s been installed more than 100,000 times.

The app does what it says it does: it searches for nearby hotspots, maps them, and enables users to upload all their stored Wi-Fi passwords. Unfortunately, in spite of what the app developer – Proofusion – claims, WiFi Finder doesn’t differentiate between public hotspots and what Whittaker says are the “countless” home Wi-Fi networks found by TechCrunch and Jain.

The exposed database didn’t give away contact information for any of the Wi-Fi network owners, but it did include geolocation data. The geolocations often corresponded to what look like wholly residential areas where there don’t appear to be any businesses, suggesting that the logins are for home networks.

Read those permissions!

WiFi Finder is a glaring example of how much security and privacy we all too often blithely hand over to an app that doesn’t deserve our trust. If you dig into the permissions it requests, you’ll find that it wants users to give it access to locations, full contact lists – including phone numbers and email accounts of all your friends, family, colleagues and whoever else is in that powerful hand warmer – plus the puzzlingly powerful ability to read, modify and delete data on your phone.

But why? That, unfortunately, is the question that we don’t get around to asking when we don’t bother to read app permissions.

Google has been trying to clean up the hot mess of bad apps in the Play store – a hot mess that, for example, saw 9m Androids infected with malware back in January, when Google removed 85 apps that were purportedly TV and video players and controllers but which would consistently show full-screen ads until they crashed, bringing in profitable ad impressions for the developers but nada for the victims.

We’re better off if we don’t solely depend on Google to strain out all the bad appery. By Google’s own calculations, only 0.09% of devices accessing the Play store were carrying malware as of January, but at 1.8 million phones, that’s nothing to sneeze at.

Make sure to check out app reviews and permissions to see what they’re up to before downloading. The majority of app developers may well have hearts of gold and the smarts to protect sensitive databases, but that still leaves plenty of random bulls in the china shop.

5 Comments

Thank you for the notice (since the goog doesn’t do that).
Recurring IT news headline/content;
-Headline: Malicious App ~~~. Content: google play, we’re trying, security is impotent to us.
-Headline: Facebook ~~~. Content: passwords leaked, we’re sorry, security is impotent to us. (its not a typo)

I don’t know about Google but Apple iOS apps require user authorization individually each data source like location, camera, address book, etc.

Anthonymaw Yes Google apps also require user acceptance of the various types of access, but most users blindly click “accept” with no understanding of what that actually means.
I will uninstall an app immediately if it insists on access to a function I don’t believe it needs…but then am an IT Pro.

yeah, it is quite clever how the app runs in what they call an ‘app sandbox’ from what I’ve read the app runs in a virtual machine and all access to user data such as contacts, photos etc as well as devices like the camera are monitored and controlled by ios.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?