With the Android App WiFi Finder, users should be able to connect to hotspots in their environment – and upload the passwords of hotspots, so that other users can automatically connect to them. The passwords were stored by the app in plain text in a database that was unprotected over the internet. According to a report by Techcrunch, security researcher Sanyam Jain discovered the data leak – in which not only hotspots, but also the access data to private WLANs had been found. The database has since been taken offline.
The database contained the names (SSID, Service Set Identifier) of about two million Wi-Fi networks, as well as the passwords in plain text and the geo coordinates. In addition, the BSSID (Basic Service Set Identification) was saved, a unique ID of the individual access points.
The app claims to offer only the passwords to public hotspots, according to Techcrunch were in the database but also countless home networks. For example, you can locate many wireless networks in residential areas. Each app user could have uploaded any available access data to Wi-Fis – a permission of the network owner was not necessary for this. Possibly, the access data to the private networks in the database have thus landed in the database without the knowledge of the owners of the respective WLANs.
No contact to developer
Techcrunch spent more than two weeks trying to reach the creator of WiFi Finders – to no avail. Then they contacted the web host Digital Ocean, on whose servers the database was stored. This responded promptly: within one day, the database was no longer accessible from the Internet.
In the database no contact data are deposited to the respective network operators, therefore one could not contact these and point out the problem, writes TechCrunch. Several 10,000 WLANs were located in the US. The report does not reveal how the remaining WLANs were distributed worldwide. According to Google’s Playstore, the app has over 100,000 installations.