WiFi Finder Exposed Over 2 Million Wi-Fi Passwords

You probably know that you should never share passwords. But can this piece of advice be applied to every single situation? No, it can't. Work often requires you to use the same login credentials with some of your colleagues, and even if it doesn't, when you get home, you share your Wi-Fi password with your family and the friends who come over every now and again. Obviously, you know how important keeping your Wi-Fi network protected is which is why you've only shared your Wi-Fi password with people you trust. Or have you?

Mobile apps are used to share Wi-Fi passwords without owners’ consent

People spend hours in airport lounges and cafes, and they're often desperate to hook up to the available Wi-Fi networks in order to access the internet. Sometimes, however, for various different reasons, getting the password that protects the network is not possible which is a big problem, especially for people that are abroad where the mobile data charges can be astronomical. Users who find themselves in a similar situation will be happy to learn that, as some clever marketing people from Apple once said, "there's an app for that".

More specifically, there are multiple iOS and Android apps which help users share login credentials for wireless networks all around the world. Using crowd-sourced data, they build a map of Wi-Fi networks, and with the help of your phone's GPS, they can show you the hotspots that are closest to you. Because users also share passwords, you can connect to the internet without having to bother with trivial stuff like communicating with other human beings. You too can share Wi-Fi networks and passwords with others which brings the sort of communal spirit that is often missing from the digital world.

The thing is, on the internet, the "Sharing is caring" mentality often brings additional risks. Just think about how dangerous pirated software can be, for example. Sure enough, it pays to think twice before sharing a Wi-Fi network or using one that's already been shared.

At the very least, sharing a Wi-Fi password completely eliminates one of its main purposes – keeping unwanted people out of the network. You probably won't be too happy if you find out that someone has shared the password for your home network with thousands of other people without your consent, and although in theory these applications should only be used for public locations (cafes, theaters, airports, etc.), an app called WiFi Finder showed us that this is not always the case.

WiFi Finder left a database of Wi-Fi passwords exposed to the whole world

WiFi Finder is an Android application that was recently taken down from the Play Store for what is a very good reason as we'll find out in a minute. An archived version of WiFi Finder's Google Play page shows that while not everyone was happy with the app, it did have some positive reviews. It also had more than 100 thousand downloads, and according to the description, it gave users access to Wi-Fi networks all around the world. All in all, it looked like one of the many platforms of this type. As we've established already, some might argue that its out-of-the-box functionality could theoretically put your wireless network at risk. Sanyam Jain, a security specialist and member of the GDI Foundation, discovered, however, that the app has a darker secret.

In truth, "secret" probably isn't the right word, because it was all freely accessible. By "all", we mean the Wi-Fi networks that the app's users had been sharing. All the information, including more than two million SSIDs, passwords in plain text, and geolocations were posted in a database that was not protected by a password or any other mechanism for that matter. Anyone who knew where to look was able to locate and download the data with no more than a few clicks.

Sanyam Jain knew that the leak could cause a lot of damage for the owners of the exposed networks which is why he got in touch with Zack Whittaker, TechCrunch's security editor who set about informing WiFi Finder's developer – a company known as Proofusion. Sadly, multiple attempts to get through to Proofusion hit a brick wall, and in the end, Whittaker and Jain contacted OVH, the company that provided WiFi Finder with hosting services. The database was taken offline swiftly thereafter, and after TechCrunch broke the news publicly, WiFi Finder was also removed from Google Play.

Users can be thankful that for once, the experts didn't see any personally identifiable information in the exposed database. That said, the geolocation data helped Whittaker and Jain learn that many of the exposed passwords belonged to home networks. Tens of thousands are based in the US, and at least some of them are located in residential areas.

How bad could the consequences be?

It's difficult to say whether any cybercrooks accessed the SSIDs and passwords before OVH managed to take the database down. So far, nobody has complained about having their wireless network compromised because of the leak, either. It's fair to say, however, that you definitely don't want to have your own Wi-Fi network exposed in such a way.

Indeed, if an attacker wants to do something, they'll need to be in your network's range which does limit the risk to some extent. Even so, if they do hook up to your Wi-Fi signal, they can, among other things, sniff through your network traffic and set up a DNS hijacking mechanism which can land you in a world of trouble.

Building a database of network credentials is pretty risky, but despite this, there are plenty of apps that do it and plenty of users who see nothing wrong with it. By exposing this database, however, developers of such apps can actively put users in harm's way. Here's hoping that WiFi Finder is an exception rather than the rule.