Submitted via IRC for Bytram
A hotspot finder app exposed 2 million Wi-Fi network passwords – TechCrunch
A popular hotspot finder app for Android exposed the Wi-Fi network passwords for more than two million networks.
The app, downloaded by thousands of users [Ed: link appears to have been removed], allowed anyone to search for Wi-Fi networks in their nearby area. The app allows the user to upload Wi-Fi network passwords from their devices to its database for others to use.
That database of more than two million network passwords, however, was left exposed and unprotected, allowing anyone to access and download the contents in bulk.
Sanyam Jain, a security researcher and a member of the GDI Foundation, found the database and reported the findings to TechCrunch.
We spent more than two weeks trying to contact the developer, believed to be based in China, to no avail. Eventually we contacted the host, DigitalOcean, which took down the database within a day of reaching out.
“We notified the user and have taken the [server] hosting the exposed database offline,” a spokesperson told TechCrunch.
Each record contained the Wi-Fi network name, its precise geolocation, its basic service set identifier (BSSID) and network password stored in plaintext.
[...] Tens of thousands of the exposed Wi-Fi passwords are for networks based in the U.S.
(Score: 2) by Bot on Wednesday April 24 2019, @09:06AM (3 children)
I would be bothered by another detail: why are the passwords accessible to any other app other than the networking daemon? An app needs to connect to the net, and possibly know what kind of connection it is. Nothing else.
Account abandoned.
(Score: 2) by janrinok on Wednesday April 24 2019, @09:15AM
The passwords were compromised by WiFi routers. They were collected by an app on the mobile device. The app then sent the passwords to a central database which was accessible to anybody.
(Score: 2) by DannyB on Wednesday April 24 2019, @02:00PM (1 child)
From TFA
So, a Hotel gives Jane a WiFi password. That password is only intended for hotel guests.
The app asks Jane (or maybe it doesn't even bother to ask) for permission to upload the password to the WiFi hotspot?
Jane, in the spirit of sharing, says:
[x] Yes, please upload any data from my device that you think might be useful
[_] No, please do not neglect to upload all my data
The database has a large collection of WiFi passwords that were intended to be used by selected users -- such as customers. If the WiFi were intended for the general public, then it would not have required a password.
The lower I set my standards the more accomplishments I have.
(Score: 2) by Bot on Wednesday April 24 2019, @03:29PM
don't give them ideas...
Account abandoned.