Whoops: Hotspot-Finding Android App Shared Millions of Wi-Fi Passwords

Joanna Estrada
April 24, 2019

A popular Android app that has been downloaded by tens of thousands of Australians has been identified as being able to suck up the password of home networks direct to a master database.

Used for locating and connecting public Wi-Fi hotspots that are closer to users, the app's security breach and privacy problems emanated from a community feature that invites users to share hotspots they could find nearby. The service has collected more than 2 million such passwords, and according to a security researcher named Sanyam Jain, it stored them in a DigitalOcean-hosted database anyone could access.

Users were obviously trapped by the app's description that urged them to "be social and share your Wi-Fi hotspots".

Every record contained not only the SSID for the network but also its password and exact location.

The app is, as the name suggests, created to make it easier to find WiFi hotspots in your area, but its utopian vision has gone completely Pete Tong following some research from the GDI Foundation for TechCrunch.

"In the case of the HotSpot finder applications' collection of WiFi password data, we see a situation where the goal of the application and by extension its user base are at odds with the security of others".

We tried out the app for ourselves and found numerous private Wi-Fi networks listed on the app, along with passwords displayed in plain text.

Fortunately, the contact information of network owners was not exposed as a result of the vulnerability.

Facepalm: Nothing is more useful to a traveler than an app that can point out local public hotspots. That triggered the exposure of home Wi-Fi networks to the attention of threat actors. Visitors walk past the Android stand at the Mobile World Congress (MWC) in Barcelona on February 25, 2019.

"The app allows users to have unauthorized access to public and private Wi-Fi networks, allowing network owners to offer their Wi-Fi credentials for public connections without prompting them for permission", Becenti explained.

With the database taken down, the app may not be functioning properly now. It also compels to heighten the vigil about keeping Wi-Fi network details secret to avoid future risks.

Other reports by Click Lancashire

Discuss This Article