Picture this: you’re out and about when you realize you’re close to reaching your mobile data cap, and you know going over your limit means extra fees. You could put the phone down. Whoa, pump the breaks. Let’s not get carried away.
Instead, you go looking for public Wi-Fi hotspots in the area. Your smartphone can search for available networks, but you opt to download a more robust app that shows nearby hotspots along with other handy information like passwords and their locations on a map.
But there’s a hiccup. This particular app, which has been downloaded by tens of thousands of people, just exposed millions of network passwords – many of which it shouldn’t have had access to in the first place. It might have even exposed your home network credentials, and exactly where it’s located.
Another exposed database of passwords
In yet another exposed database, a security researcher found the one for Wi-Fi Finder. It was filled with about 2 million plaintext network passwords from around the world, all available to see and download. Tens of thousands of those networks are in the U.S.
The researcher who made the discovery told TechCrunch about the database, and they’ve spent a couple of weeks trying to contact the developer, Proofusion, believed to be based in China. Nice. There’s been no response but once they reached out to DigitalOcean (the host), the database was quickly taken down.
Just the passwords would be bad enough, right? You would think so, but there was other sensitive information in the database like a network’s name (SSID) and exact geolocation. There was no contact info for network owners included in the database, but the precise geolocation part is a problem since it basically points out your network on a map.
The importance of your home network
Think about your home network for a minute and just how important it is. It ties your connected devices together, managing every aspect of your online activity. You know this so you’ve got a super-complicated password for your Wi-Fi network, along with firewalls and no ports left open for hackers to exploit. Yeah, you’re confident that you’re always one step ahead of any potential attackers.
Then there’s that app I mentioned that you just downloaded to use during your travels. Seems convenient, but wait – it wants access to the various Wi-Fi passwords stored on your smartphone. It also wants your location as well as access to other sensitive info.
Somehow that sounds totally on the up-and-up so you grant the app access to all kinds of permissions. Oops.
A convenient hotspot-finding app
The hotspot-finding app WiFi Finder is for Android devices. It’s available through the Google Play Store and has been downloaded over 100,000 times.
When you’re setting it up, it wants access to your stored list of Wi-Fi passwords, presumably because not all public hotspots are open and accessible without a password. For instance, let’s say you’ve stayed at a hotel or visited a coffee shop where you were given the password to access their Wi-Fi. Now that login info is stored on your device, and can help others access the same network once you share those credentials with the app.
Here’s the problem. The app apparently can’t tell the difference between public hotspots and personal home networks, so it would upload all those details onto their database – a database that was recently found to be totally exposed and unprotected.
Protecting your network and other data
The information leaked from this database could be a problem, but only if you’re singled out by a would-be cybercriminal. Once again, that’s where the geolocation data is the troublemaker. If nearby, a hacker could potentially join your network to spread malware and modify your router settings or other devices connected to it. As far as devices go, just think about a hacker’s potential access to your security cameras.
And if an attacker messes with your DNS server, you could unknowingly be sent to malicious websites that would cause even more problems. Also, any unencrypted traffic that includes other passwords and private data would also be at risk. On a side note, that’s why you should always look for the ‘S’ in the URL (https://) when visiting any sites.
If you’ve downloaded this app, delete it and change any and all network passwords that you’re responsible for. To be on the safe side, take a look at your network traffic for anything that looks suspicious or out of place.
Speaking of questionable apps, the Google Play Store has developed a reputation for letting all kinds of riff-raff in, from adware to malware. This app, WiFi Finder, not only wants network info, but access to your location and contacts – and the ability to modify data on your Android smartphone. No app, not this one or any other, needs that kind of access to your phone. If you come across any that do, deny and delete. Click or tap here to find out how best to manage permissions on your Android.
Do your research, because you can’t trust Google to do it for you. Read privacy policies and reviews from other users before downloading apps. Look up the app’s developer and where they’re located.
These are things Google should be doing, but they’re too busy ignoring their app-vetting process and bad YouTube algorithms to focus on the important issues: data mining and making money. At least they’re consistent.