Facepalm: Nothing is more useful to a traveler than an app that can point out local public hotspots. However, popular and well-reviewed hotspot finder for Android left the passwords of over two million routers, including home networks, exposed on the internet in plaintext.
The app simply named “WiFi Finder” searches for nearby hotspots. Users could upload public hotspots or even their own router passwords to the app’s database to allow other users to find and access them.
However, the app’s database was left wide open on the internet. The credentials of over two million networks were unsecured and unencrypted for an unknown length of time.
Security researcher Sanyam Jain of the GDI Foundation told TechCrunch that the data was easily accessible for anyone to download. The records contained the WiFi network name, geolocation, its basic service set identifier (BSSID), and the network password stored in plaintext.
“We notified the user and have taken the [server] hosting the exposed database offline.”
TechCrunch tried reaching Proofusion, the Chinese developer of the app but received no response. It then contacted DigitalOcean, the company hosting the app’s database. It was taken down within 24 hours.
“We notified the user [Proofusion] and have taken the [server] hosting the exposed database offline,” said a spokesperson for DigitalOcean.
The developer claims that the app only provides passwords for “public hotspots.” However, when analyzed, the exposed data contained many home networks.
Indeed, even in the app’s description, it advertises, “Share your network,” and “Be social and share your Wi-Fi hotspots. Add your Wi-Fi network and update.”
With the database taken down, the app may not be functioning properly now. It is unclear if Proofusion will address the problem.