Wi-Fi passwords of around two million networks have been exposed by a famous hotspot finder app available on Google Play store (now removed).
This app lets users search the nearby Wi-Fi networks and have thousands of downloads on Google Play. It allows users to upload the passwords of Wi-Fi networks from their devices to the database of the app, which can be used by others.
However, this database consisting of more than two million network passwords remained exposed and insecure, giving others a way not only to access but also download the data in bulk.
The exposed data was found out by a security researcher Sanyam Jain, who is a member of GDI Foundation. The developers of the app based in China were tried to be reached out but there have been no response from their side. DigitalOcean, the host was then contacted who after being informed, soon took down the database.
The spokesperson of DigitalOcean said that the servers hosting the exposed data were taken offline whereas the user was also informed about this.
According to TechCrunch findings, the record, available in plaintext includes the name of the Wi-Fi network, its password, geolocation, and basic service set identifier (BSSID) is also part of it.
There is no contact information of the Wi-Fi network owner available in the data, whereas the precise geolocations are available. Though app developers claim they do not provide passwords of home Wi-Fi networks, instead only of the public networks. But the data review shows personal Wi-Fi networks which are further backed by the geolocations of residential areas.
Users do not need permission from the owner before the app provides them unauthorized access to the Wi-Fi network. This would enable cybercriminals to carry out attacks and change the router settings, directing them to the malicious site by changing the DNS server as well. They would also be able to loot passwords and other secrets by studying the unencrypted traffic on the wireless network.
A major part of these passwords belongs to US based networks.
Read next: Internet Users Aren’t Doing Enough to Prevent Misuse of Their Data
This app lets users search the nearby Wi-Fi networks and have thousands of downloads on Google Play. It allows users to upload the passwords of Wi-Fi networks from their devices to the database of the app, which can be used by others.
However, this database consisting of more than two million network passwords remained exposed and insecure, giving others a way not only to access but also download the data in bulk.
The exposed data was found out by a security researcher Sanyam Jain, who is a member of GDI Foundation. The developers of the app based in China were tried to be reached out but there have been no response from their side. DigitalOcean, the host was then contacted who after being informed, soon took down the database.
The spokesperson of DigitalOcean said that the servers hosting the exposed data were taken offline whereas the user was also informed about this.
According to TechCrunch findings, the record, available in plaintext includes the name of the Wi-Fi network, its password, geolocation, and basic service set identifier (BSSID) is also part of it.
There is no contact information of the Wi-Fi network owner available in the data, whereas the precise geolocations are available. Though app developers claim they do not provide passwords of home Wi-Fi networks, instead only of the public networks. But the data review shows personal Wi-Fi networks which are further backed by the geolocations of residential areas.
Users do not need permission from the owner before the app provides them unauthorized access to the Wi-Fi network. This would enable cybercriminals to carry out attacks and change the router settings, directing them to the malicious site by changing the DNS server as well. They would also be able to loot passwords and other secrets by studying the unencrypted traffic on the wireless network.
A major part of these passwords belongs to US based networks.
Read next: Internet Users Aren’t Doing Enough to Prevent Misuse of Their Data
