App leaves over two million WiFi network passwords exposed on open database

News by Bradley Barth

Open database exposes passwords to access networks

More than two million WiFi network passwords were reportedly left exposed on an open database by the developer of WiFi Finder, an app designed to help device owners find and log in to hotspots.

The developer, Proofusion, claims its product only lists passwords for public Wi-Fi networks offered by the likes of restaurants and other high-traffic locations; however, information belonging to "countless" home networks were also included in the exposed data, according to a TechCrunch report published today. Exposed data typically included a Wi-Fi network’s name, geolocation, basic service set identifier and network password.

Security researcher Sanyam Jain, a member of the GDI Foundation, is credited with discovering the misconfigured database. TechCrunch says it contacted Proofusion multiple times over a two-week span, but never received a response. Ultimately, the database was reportedly taken down by its host, DigitalOcean.

TechCrunch says thousands of users have downloaded the app, which reportedly does not require to seek permission from WiFi network owners before uploading and sharing their passwords so that others can use them.

Tim Mackey, senior technical evangelist at Synopsys, told SC Media UK that in the case of the HotSpot finder applications’ collection of WiFi password data, we see a situation where the goal of the application and by extension its user base are at odds with the security of others.

"While WiFi credentials might be provided to an authorised user of a network, that same user providing those credentials to a third party likely falls outside of both terms of service for the WiFi network and the doctrine of consent," he said.

"In essence, the HotSpot finder app presumes their user has the authority to disclose potentially sensitive information and thus can consent to the app receiving and potentially storing that data. This then creates a situation where the threat model defined by the WiFi network owner might be insufficient – i.e., that only authorised users are granted access when user impersonation might become the norm. To mitigate this situation, operators of WiFi networks should routinely audit their access records to identify abnormal patterns of access and vet that access against the expected usage pattern for the user."

The original version of this article was first published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews