An Android app by the name of WiFi Finder, installed by more than 100,000 Google Play users, has leaked in excess of 2 million Wi-Fi network passwords. Although the app is designed to locate and connect to public Wi-Fi hotspots close to the user, it also has a community feature that enables users to share the hotspots they find with others. This is where the security and privacy problems start.
What happened?
So as to make it easier for users to not only locate the nearest Wi-Fi hotspot while out and about but also connect to them, WiFi Finder includes a feature that lets users upload network passwords. The app, which seems to be of Chinese origin, encourages users to share this information and become part of a Wi-Fi community. The description for the app, which is still available for download from Google Play as I write, asks users to "Be social and share your Wi-Fi hotspots. Add your Wi-Fi network and update." According to security researcher Sanyam Jain who is part of the GDI Foundation, and as reported by Zack Whittaker for TechCrunch, the database resulting from these uploads was "left exposed and unprotected, allowing anyone to access and download the contents in bulk."
What information has been exposed?
The exposed database didn't include any contact information for the Wi-Fi network owners whose data was included, but it did contain Wi-Fi network names, accurate geolocation and passwords stored in plaintext. "Although the app developer claims the app only provides passwords for public hotspots, a review of the data showed countless home Wi-Fi networks" Whittaker writes.
What does this mean?
It would appear that there are three main issues here:
- Users have inadvertently uploaded their own Wi-Fi network passwords, encouraged by the "share your Wi-Fi" message in the app.
- The app developers failed to secure the database where all this data is stored and failed to observe basic security hygiene such as never storing unencrypted passwords.
- Because the app makes no distinction between public hotspots and home Wi-Fi networks, the latter have become exposed to potential compromise by threat actors.
It should be noted that while there is the potential for attack here, there is no evidence of any compromises resulting from the leaked database. That database has now been taken offline by the cloud company hosting it after TechCrunch failed to get any response from the developer over a two week period.
What should you do now?
If you haven't downloaded and installed the WiFI Finder app yourself, there's not really much cause for concern. Even if you have, unless you have shared your own Wi-Fi information using that community upload function then the same applies. If you have, then you should change your Wi-Fi password immediately. More broadly, this incident should be seen as a warning of why downloading apps from unknown and therefore untrusted developers is fraught with danger. Oh, and don't share your Wi-Fi network credentials unless you want others to be able to access it, and that includes those with bad intentions...
