More than two million wireless network passwords were exposed by the developer of WIFI Finder.
This app that lets users upload their Wi-Fi passwords from their devices in the app’s database. Then, users can share that network with other users. However, one inconvenient is that the network owner doesn’t have the option to grant permission to other users, so anyone can enter it after you upload your credentials. Nonetheless, many users downloaded this app and had no idea that their credentials were in plain sight.
Unfortunately, the WiFi Finder app was downloaded and used by more than 2 million users, revealing all the credentials from those networks. The database was unsecured and unencrypted, allowing anyone to access and download it.
Thanks to a security researcher of the GDI Foundation, Sanyam Jain, this issue was brought to the attention of the public:
[1/3] Found a MongoDB hosted on Digital Ocean containing Wifi spot name, BSSID and as well as passwords too. Around 2 million records were there as well as lat and long are also there where the wifi-hotspot is located.
— S. (@HeliumNitro) April 12, 2019
The Database Was Taken Down, But The Developer Is Still Not Responding
In a report posted by TechCrunch’s Zack Whittaker on this issue, we learned that after Jain and Zack tried their best to contact the Chinese developer, they finally got through the host – DigitalOcean, who took the database down one day later. A spokesperson told them that the server that hosted the exposed database was taken offline and that they reached out to the developer as well.
The issue was that the database contained a lot of information that wasn’t supposed to be revealed, leaving all networks vulnerable to unauthorized access:
“Each record contained the Wi-Fi network name, its precise geolocation, its basic service set identifier (BSSID) and network password stored in plaintext,” wrote Whittaker.
Whittaker added that many of the exposed networks in the U.S were home wireless networks, and he learned that just by looking at Google Maps and see the coordinates. Outside the U.S, “tens of thousands” of Wi-Fi passwords were exposed.
This is a severe problem, considering that anyone having access to the database can enter a person’s network and try to find vulnerabilities in the network to infect devices, download inappropriate content or even launch cyber attacks.
The app is now gone from Google Play. If you were among those that used WIFI Finder, you should immediately change your Wi-Fi password, and it is even recommended you do so once in a while to avoid any risks.
Tim M. Hill helped bring Digital-Overload from a weekly newsletter to a full-fledged news site by creating a new website and branding. He continues to assist in keeping the site responsive and well organized for the readers. As a writer to Digital-Overload, Tim mainly covers mobile news and gadgets.