A Free Wi-Fi Finder App Exposed Passwords To Millions Of Networks
Modern dual-band wireless router. Image: Getty
An app that helped its users find and connect to free Wi-Fi hotspots helped itself to network security keys. As if that wasn’t bad enough, it uploaded those keys to an unsecured database without encrypting them – all without telling users it was even happening.
The discovery was made recently by security researcher Sanyam Jain of the GDI Institute. According to Jain, the database had left plain-text credentials for more than 2 million wireless networks exposed.
There was plenty of other information in the database, too. Jain told TechCrunch’s Zack Whittaker that it also contained network names (or SSIDs) and — more alarmingly — precise GPS location data.
More than 10,000 of the exposed networks were located in the U.S. Despite the fact that the app claimed only to share public hotspots, Whittaker noted that many appeared to be home wireless networks. He made that determination by simply looking at Google Maps and seeing which coordinates fall within areas that are clearly residential.
That’s not exactly an ideal situation. Anyone with access to that data could navigate to and join someone’s private network with relative ease. Once connected, someone with malicious intent could scour the network for vulnerable devices to infect, launch cyber attacks, or even access and download inappropriate content from the victim’s IP address.
Jain and Whittaker spent two weeks trying to contact the developer of the app but have yet to receive any response. Rather than wait around, they turned to the service provider that was hosting the leaky database. The company pulled the file offline less than 24 hours later.
As for the offending app, it has now disappeared from Google Play. Now’s probably a good time to remind you that changing your Wi-Fi password from time to time is a good habit to get into.
Yes, that means reconnecting a bunch of devices… but that’s better than ignoring the risk. Especially after a leak like this one occurs.