More than 2 million passwords for Wi-Fi hotspots were leaked online by the Android app developer behind the mobile application called WiFi Finder. The passwords were part of an insecure database found by researchers at GDI Foundation.
The Android app itself did not just help users find Wi-Fi hotspots, but also supplied username and passwords that were crowdsourced by the apps users. According to researchers, the total database included 2 million username and password pairs, with tens-of-thousands of hotspots located in the United States, according to TechCrunch, which first reported the leaky server.
GDI Foundation said the developer is based in China and the app has been downloaded “thousands” of times by users. Data included public and private hotspots, but also “countless” numbers of home Wi-Fi hotspots.
“The exposed data didn’t include contact information for any of the Wi-Fi network owners, but the geolocation of each Wi-Fi network correlated on a map often included networks in wholly residential areas or where no discernible businesses exist,” reported TechCrunch.
Security experts at SiteLock cautioned that not only do public Wi-Fi hotspots pose security issues for unprotected users, but also potentially to those providing them to the public.
“An open Wi-Fi or insecure Wi-Fi hotspot can lead to a number of different types of attack scenario,” said Logan Kipp, technical architect at SiteLock. “Given that many of these routers appear to be managed by consumers there is a real risk an attacker could access a router and modify its settings.”
He cautioned that consumer and commercial hotspots seldom take the extra security steps needed to mitigate against man-in-the-middle attacks and prevent Wi-Fi monitoring and packet sniffing tools from plucking private data from user wireless sessions.
The data found by GDI Foundation researchers included Wi-Fi network names, the network’s precise geolocation, basic service set identifier (BSSID) and network password stored in plaintext, according to the TechCrunch report.
GDI Foundation attempted and failed to contact the China-based app maker behind WiFi Finder. Instead, it reached out to cloud services firm DigitalOcean that hosted the insecure data, which removed it.
SiteLock’s Kipp said the WiFi Finder app was one of many apps that crowdsourced a collection of SSID (service set identifier) data and passwords. Threatpost identified a number of them on the Google Play marketplace from one called Free WiFi Passwords and Hotspots from Instabridge, to Wifi Password Viewer – Share Wifi Password and WiFi Map — Free Passwords & Hotspots.
“Apps like these open up a Pandora’s Box for abuse,” Kipp said. “There is a big difference between a public access hotspot that uses a proper tokenized login system and apps that appear to be crowdsourcing logins and password credentials.”
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.
