Popular ‘WiFi Finder’ App Leaks 2 Million+ Passwords

A widely used Android app for finding free Wi-Fi passwords was horribly insecure. It’s been sitting on an unsecured database, open to the internet.

And the developer is nowhere to be found. Who knew that this modern version of warchalking could be so dangerous?

It gives a whole new meaning to Pre-Shared Key. In today’s SB Blogwatch, we put a tinfoil hat on your AP.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Television Delivers People.


PSK APK FAIL

What’s the craic, Zack? Mister Whittaker crunches the numbers—“App exposed 2 million Wi-Fi network passwords”:

 The app allows the user to upload Wi-Fi network passwords from their devices to its database. … That database of more than two million network passwords, however, was … unprotected.

Each record contained the Wi-Fi network name, its precise geolocation, its basic service set identifier (BSSID) and network password stored in plaintext. … A review of the data showed countless home Wi-Fi networks.

The app doesn’t require users to obtain the permission from the network owner, exposing Wi-Fi networks to unauthorized access. … We spent more than two weeks trying to contact the developer, believed to be based in China, to no avail.

Dude! Dell Cameron sounds exasperated—“If You Used This App, the Passwords of the Private Wifi Networks You Connected to Leaked Online”:

 Thousands of users … inadvertently submitted their own home wifi passwords to the app’s database, which has now leaked online. Le sigh.

The app … appears to be based in China, because of course it is. [It] has been used by over a 100,000 people … thousands of users in the U.S. alone.

What is horrifying is … that so many people are continuing to download apps developed by companies no one’s ever heard of, granting them access to all sorts of personal information about themselves and others. [It] required users to surrender access to their locations, full contact lists—meaning phone numbers and email accounts of all their friends and family members, and in some cases their birthdays and social media profiles—as well as, for no particular reason, the ability to read, modify, and delete data.

Google Play itself continues to be a total ****show. … So please, for the love of god, just exercise an ounce of common sense.

Run! Logan Kipp sleeps on it: [You’re fired—Ed.]

 An open Wi-Fi or insecure Wi-Fi hotspot can lead to a number of different types of attack scenario. Given that many of these routers appear to be managed by consumers there is a real risk an attacker could access a router and modify its settings.

Apps like these open up a Pandora’s Box for abuse. There is a big difference between a public access hotspot that uses a proper tokenized login system and apps that appear to be crowdsourcing logins and password credentials.

Surely there’s a GDPR/CCPA/WPA angle here? Tim Mackey talks to Duncan Riley:

 One of the key components of GDPR is the concept of consent. … Users must consent to the collection of personal data by a provider and the provider must similarly disclose how it will manage and process that data.

In the case of the HotSpot finder applications’ collection of WiFi password data … the goal of the application and by extension its user base are at odds with the security of others.

Wait. Pause. Rosco P. Coltrane asks, “Where’s the contradiction?”:

 People download an app to share their passwords with everybody, and then someone gets their pants in a knot because the passwords are available to everybody?

What’s the problem?

Will Will Dormann—@wdormann—have a pithier take?

 People who share their WiFi network password should not be surprised if other people use the network.

And reboot246 couldn’t care less:

 I’m in a pathetic Motel 6, and I can tell you the wifi password. It’s no big secret.

[It’s] “ilovemotel6” Which I don’t! I’m using my phone instead of their “dial-up speed” wifi.

It’s enough to drive you to drink. Paul Guinnessy isn’t bitter:

 Dear oh dear, oh dear. … And people wonder why I’m always using VPN in public places.

Is there a silver lining? Noah Draper muses thuswise:

 Actually things like this … would form a basis for plausible deniability, making the internet generally safer … and protecting the general public from being scapegoated by IP address.

Remember when all the Wi-Fi routers came set to open access and the same default password? … Everybody had access to the internet, with greater anonymity. … We actually had greater legal protections when it was all open.

I bet the Play Store reviews are hilarious. Steve Mobile gets a bit shouty—“DO NOT DOWNLOAD OR USE THIS APP”:

 The app developer is a rude … novice who does not know how to program. This app has leaked 2 million wifi passwords in plaintext. … See news reports about this terrible, badly-designed app.

Meanwhile, Lenny Valentin spreads the obligatory Television Delivers People meme:

 Something Google something-something the product is you.

And Finally:

Television Delivers People—this 1973 short film’s message is still relevant to today’s web-and-app ecosystem after 45 years, and is the likely origin of the “You are the product” meme.

By video artist Richard Serra and Carlota Fay Schoolman. Read more on a certain popular wiki: Television Delivers People


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Carl Nenzén Lovén (cc:by)

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 590 posts and counting.See all posts by richi