Skip to main content

Whoops: Hotspot-Finding Android App Shared Millions of Wi-Fi Passwords

(Image credit: Shutterstock)

People can't stand being cut off from the Internet. That’s why some apps make it easy to find public hotspots, but TechCrunch reported today that one app was a bit overzealous in its collection of network data, with it gathering information about private Wi-Fi setups in residential areas. It also made that data available to the public.

The utility in question is WiFi Finder, an Android app that allows people to share network passwords from their devices. The service has collected more than 2 million such passwords, and according to a security researcher named Sanyam Jain, it stored them in a DigitalOcean-hosted database anyone could access.

WiFi Finder didn’t limit its data collection to network passwords either. It also gathered the basic service set identifier (BSSID), precise geolocation and public name of each network. That information would make it much easier for someone to find private networks, access them and then potentially use them to compromise any connected devices.

It’s hard to argue that wireless networks haven’t made life a lot more convenient. But they’ve also opened up otherwise secure devices (and entire homes) to attack. Sometimes that insecurity arrives via misbehaving services like WiFi Finder; sometimes it’s found in vulnerabilities within networking hardware or with the Wi-Fi standard itself.

The most secure option is, naturally, to avoid wireless networks entirely. But most people don’t want to do that—apps like WiFi Finder exist because those folks want to be connected even when they aren’t home. Who’s actually going to expect those people to ditch Wi-Fi at home? We’re pretty sure convenience will trump security almost every time.

That leaves it up to the companies to make sure they make anything related to wireless networks as secure as possible. TechCrunch said the developers behind WiFi Finder didn’t respond to its efforts to contact them for two weeks, but DigitalOcean pulled the database’s server just a day after the outlet started asking about it, (which is quicker than some other hosting providers respond to such problems with customer databases).