Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday April 24 2019, @08:23AM   Printer-friendly
from the definitely-a-hot-spot dept.

Submitted via IRC for Bytram

A hotspot finder app exposed 2 million Wi-Fi network passwords – TechCrunch

A popular hotspot finder app for Android exposed the Wi-Fi network passwords for more than two million networks.

The app, downloaded by thousands of users [Ed: link appears to have been removed], allowed anyone to search for Wi-Fi networks in their nearby area. The app allows the user to upload Wi-Fi network passwords from their devices to its database for others to use.

That database of more than two million network passwords, however, was left exposed and unprotected, allowing anyone to access and download the contents in bulk.

Sanyam Jain, a security researcher and a member of the GDI Foundation, found the database and reported the findings to TechCrunch.

We spent more than two weeks trying to contact the developer, believed to be based in China, to no avail. Eventually we contacted the host, DigitalOcean, which took down the database within a day of reaching out.

“We notified the user and have taken the [server] hosting the exposed database offline,” a spokesperson told TechCrunch.

Each record contained the Wi-Fi network name, its precise geolocation, its basic service set identifier (BSSID) and network password stored in plaintext.

[...] Tens of thousands of the exposed Wi-Fi passwords are for networks based in the U.S.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Informative) by Anonymous Coward on Wednesday April 24 2019, @09:51AM (2 children)

    by Anonymous Coward on Wednesday April 24 2019, @09:51AM (#834272)

    passwords were not meant to be used by the public, they should have been secured. But, once collected, they were uploaded to a central database so that everyone could use them.

    So which one is it? Are these meant to be private or not? First you write "not", then you said "used by everyone". One contradicts the other.

    Just because the devs didn't make the database accessible only to the application is irrelevant. It is NOT POSSIBLE to not allow anonymous access if you do not authenticate each user separately and isolate their access and data. Access to central resource without authentication is by definition the same as having no access control, at least when it comes to security.

    People need to learn what security means. Anyone with access to the application would by definition have access to entire database, shared password or not. It's just one reverse engineering challenge away.

    it is similar to sharing the passwords collected by war-driving.

    .... what? Maybe you should read what this is. It's mapping out where WiFi access points are and possibly what their access requirements are. It has absolutely nothing to do with breaking into these APs.

    https://en.wikipedia.org/wiki/Wardriving [wikipedia.org]

    And how you got the "passwords collected", I have no idea. You may want to read up on how WiFi authentication works.

    Starting Score:    0  points
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  

    Total Score:   1  
  • (Score: 5, Informative) by janrinok on Wednesday April 24 2019, @11:08AM (1 child)

    by janrinok (52) Subscriber Badge on Wednesday April 24 2019, @11:08AM (#834287) Journal

    My reading of TFA and other reporting leads me to understand the problem as follows:

    So which one is it? Are these meant to be private or not? First you write "not", then you said "used by everyone". One contradicts the other.

    No, it doesn't, although the TFA is particularly clear in certain details. You have read TFA, haven't you?

    The hotspots were meant to be limited to a specific group of people, perhaps customers in a cafe or patients in a hospital. The passwords should have been restricted to those people who were entitled to use the hotspot, but not made available to anyone else.

    However, any WiFi passwords that were entered into the device in which the app was installed, along with the geolocation of the hotspot, BSSID and other information, were sent by the app in clear to a database in the cloud which was also insecure and thus freely accessible to anyone. The result is that people other than those authorised to use the hotspot could identify hotspots close to where they were and log in and use the connections.

    And how you got the "passwords collected", I have no idea.

    The app might collect several passwords as the user travelled around and also the password of, say, his own private home router, and each one of those passwords was subsequently sent to the database in the cloud in clear.

    The app it was claimed would only identify public hotspots but, in actual fact, it also identified numerous private and home routers.