A popular Android app used for finding nearby Wi-Fi hotspots seems to have exposed over two million wireless networks. The app allows users to locate nearby public Wi-Fi hotspots so they can save their precious mobile data. Users can also upload their own Wi-Fi passwords to the app's database to share their network with others. It appears that over two million Wi-Fi network passwords were stored in plain text on a server, letting anyone download the database.
As reported by TechCrunch, an Android app based in China had collected more than two million Wi-Fi passwords from users across the globe. The app called 'WiFi Finder' has over 100,000 users, according to its listing on the Google Play Store.
This database of Wi-Fi networks includes the network name, geolocation data, and passwords stored in plain text, apart from other details.
'WiFi Finder' claims to offer public Wi-Fi hotspot details to its users, but it seems like the app has also been collecting passwords to home networks in residential areas.
The database was first discovered by Sanyam Jain, a security researcher, according to TechCrunch. Both Jain and TechCrunch tried to reach out to the Chinese company which created the app but were unsuccessful. They ended up asking DigitalOcean, which hosts the app, and they took down the database quickly.
We tried out the app for ourselves and found numerous private Wi-Fi networks listed on the app, along with passwords displayed in plain text. There were some public Wi-Fi hotspots as well, but you could still easily make out residential Wi-Fi networks.
The 'WiFi Finder' app lists hundreds of Indian personal Wi-Fi networks as well. One can easily navigate across a map and locate Wi-Fi networks with passwords presented in plain text. The owner of the Wi-Fi network doesn't need to grant users any additional permissions. It's likely that all these users uploaded their private Wi-Fi networks via the app.
If someone gets access to your network, they can easily modify your router's settings, read unencrypted traffic on your network, switch DNS servers, and more.
We were able to spot Wi-Fi networks belonging to a police station, a public sector bank, several residential areas, apart from public Wi-Fi networks. However, some of these networks may have switched passwords or become unavailable over time. We haven't tested if these passwords actually work.