It’s becoming harder to know which apps to trust these days, and that’s readily apparent with the disclosure of a vulnerability in the popular Android app “Wi-Fi Finder.” The purpose of the app is to make it easier for individuals to locate free public Wi-Fi hotspots that they can use on-the-go rather than digging into their cellular data.
However, a password sharing feature of the app has been compromised according to security researcher Sanyam Jain. The feature allows users to upload Wi-Fi passwords stored on their devices so that they can be shared with others. However, this information – which should be separated from the public Wi-Fi hotpots that the app is primarily tasked with finding – had its database stored in plaintext and exposed to snoopers.
Two million passwords were discovered in the database, with tens of thousands of those belonging to networks in the United States. Not only were private SSID and password credentials readily accessible, but also the precise geolocation of the routers in question.
The app, which appears to hail from China, made no distinction between credentials for public Wi-Fi hotspots that users have already visited and wanted to share with others and their own private Wi-Fi networks (or those of friends and family).
According to TechCrunch, which first reported on the Wi-Fi Finder incident, Jain attempted for two weeks to contact the developer of the app, Proofusion. However, all attempts to warn them about the database breach failed, and Jain eventually had to turn the host that served the database, DigitalOcean, to have it removed.
With geolocation data of home networks, passwords and SSID information, it would be trivial for attackers to use this information to gain unauthorized access. They could then further course their way through a network compromising attached devices.
According to the Google Play listing for Wi-Fi Finder, it has a 4/5 rating (1,491 ratings) and has been downloaded by over 100,000+ users.