Threat Watch

More Than Two Million Network Passwords Leaked by Wi-Fi Hotspot Finder App

Popular amongst Android users, an app that is used to locate accessible Wi-Fi that is nearby has exposed the passwords for over two million networks. The app itself has more than 100,000 users and allows them to upload their own Wi-Fi passwords as well, so others may access them. Through a deeper analysis, it was discovered that the database contained network information such as network name, geolocation data, and passwords stored in plain text, apart from other information. While the app supposedly offers only public Wi-Fi networks, that seems to not be the case based on the information included in the database–many of the servers were from home networks. The company that created the app was called out for leaving this database wide open, but no response has been given. The researcher who discovered the database decided to reach out to DigitalOcean, who hosts the app, and they quickly got rid of the database.

ANALYST NOTES

Users should never provide their Wi-Fi password especially if it is for public uses. If an unauthorized party were to gain access to a user’s network, they could modify the router settings, view unencrypted traffic, and modify the DNS servers. It is suggested that users reach out to the ISP and notify them of the situation if they believe they could have been affected.