The app in question is Wi-Fi Finder, which has been downloaded thousands of times on Android. As the name suggests, the application allows users to search for Wi-Fi networks in their location. Additionally, the app also created a database of networks. To enhance this database, users were able to store their network passwords on the app for other people to use. Sanyam Jain, a security researcher for GDI Foundation, discovered the database was not being protected properly. As he told TechCrunch, the result left millions of network passwords exposed. Anyone with access to the database would be able to steal the data. In a report, TechCrunch says it has been attempting to contact the app developer for weeks. However, the Chinese-based company behind Wi-Fi Finder has not responded. Once app host DigitalOcean was notified, the database was removed within a day. Each database entry held detailed information about a network, including the Wi-Fi network name, its exact location, and its basic service set identifier (BSSID). Worst of all, the network passwords were visible in plaintext.
Exposed
While Wi-Fi Finder was a public hotspot finder, the database aspect allowed many home networks to be collected. What’s interesting about that is we doubt users were creating database entries and essentially allowing their homes to become public hotspots. However, because the information was there, users could connect to those home networks if they were in the area. In terms of attacks, a bad actor would possibly be able to change router settings and sent users to malicious websites.
