Submitted via IRC for Bytram
A hotspot finder app exposed 2 million Wi-Fi network passwords – TechCrunch
A popular hotspot finder app for Android exposed the Wi-Fi network passwords for more than two million networks.
The app, downloaded by thousands of users [Ed: link appears to have been removed], allowed anyone to search for Wi-Fi networks in their nearby area. The app allows the user to upload Wi-Fi network passwords from their devices to its database for others to use.
That database of more than two million network passwords, however, was left exposed and unprotected, allowing anyone to access and download the contents in bulk.
Sanyam Jain, a security researcher and a member of the GDI Foundation, found the database and reported the findings to TechCrunch.
We spent more than two weeks trying to contact the developer, believed to be based in China, to no avail. Eventually we contacted the host, DigitalOcean, which took down the database within a day of reaching out.
“We notified the user and have taken the [server] hosting the exposed database offline,” a spokesperson told TechCrunch.
Each record contained the Wi-Fi network name, its precise geolocation, its basic service set identifier (BSSID) and network password stored in plaintext.
[...] Tens of thousands of the exposed Wi-Fi passwords are for networks based in the U.S.
(Score: 4, Insightful) by maxwell demon on Wednesday April 24 2019, @08:40AM (8 children)
So the passwords were meant to be used by the public? So why is exposing them a problem?
If you don't want your password to be known by the public, don't publish it.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by janrinok on Wednesday April 24 2019, @09:04AM (3 children)
No, the passwords were not meant to be used by the public, they should have been secured. But, once collected, they were uploaded to a central database so that everyone could use them. If you like it is similar to sharing the passwords collected by war-driving.
[nostyle RIP 06 May 2025]
(Score: 1, Informative) by Anonymous Coward on Wednesday April 24 2019, @09:51AM (2 children)
So which one is it? Are these meant to be private or not? First you write "not", then you said "used by everyone". One contradicts the other.
Just because the devs didn't make the database accessible only to the application is irrelevant. It is NOT POSSIBLE to not allow anonymous access if you do not authenticate each user separately and isolate their access and data. Access to central resource without authentication is by definition the same as having no access control, at least when it comes to security.
People need to learn what security means. Anyone with access to the application would by definition have access to entire database, shared password or not. It's just one reverse engineering challenge away.
.... what? Maybe you should read what this is. It's mapping out where WiFi access points are and possibly what their access requirements are. It has absolutely nothing to do with breaking into these APs.
https://en.wikipedia.org/wiki/Wardriving [wikipedia.org]
And how you got the "passwords collected", I have no idea. You may want to read up on how WiFi authentication works.
(Score: 5, Informative) by janrinok on Wednesday April 24 2019, @11:08AM (1 child)
My reading of TFA and other reporting leads me to understand the problem as follows:
No, it doesn't, although the TFA is particularly clear in certain details. You have read TFA, haven't you?
The hotspots were meant to be limited to a specific group of people, perhaps customers in a cafe or patients in a hospital. The passwords should have been restricted to those people who were entitled to use the hotspot, but not made available to anyone else.
However, any WiFi passwords that were entered into the device in which the app was installed, along with the geolocation of the hotspot, BSSID and other information, were sent by the app in clear to a database in the cloud which was also insecure and thus freely accessible to anyone. The result is that people other than those authorised to use the hotspot could identify hotspots close to where they were and log in and use the connections.
The app might collect several passwords as the user travelled around and also the password of, say, his own private home router, and each one of those passwords was subsequently sent to the database in the cloud in clear.
The app it was claimed would only identify public hotspots but, in actual fact, it also identified numerous private and home routers.
[nostyle RIP 06 May 2025]
(Score: 3, Informative) by janrinok on Wednesday April 24 2019, @11:12AM
See Also:
https://nakedsecurity.sophos.com/2019/04/23/hotspot-finder-app-blabs-2-million-wi-fi-network-passwords/ [sophos.com]
https://gadgets.ndtv.com/apps/news/wifi-finder-hotspot-android-app-reveals-2-million-wi-fi-network-passwords-2027319 [ndtv.com]
https://www.ubergizmo.com/2019/04/hotspot-finder-app-exposed-millions-passwords/ [ubergizmo.com]
[nostyle RIP 06 May 2025]
(Score: 2) by Bot on Wednesday April 24 2019, @09:06AM (3 children)
I would be bothered by another detail: why are the passwords accessible to any other app other than the networking daemon? An app needs to connect to the net, and possibly know what kind of connection it is. Nothing else.
Account abandoned.
(Score: 2) by janrinok on Wednesday April 24 2019, @09:15AM
The passwords were compromised by WiFi routers. They were collected by an app on the mobile device. The app then sent the passwords to a central database which was accessible to anybody.
[nostyle RIP 06 May 2025]
(Score: 2) by DannyB on Wednesday April 24 2019, @02:00PM (1 child)
From TFA
So, a Hotel gives Jane a WiFi password. That password is only intended for hotel guests.
The app asks Jane (or maybe it doesn't even bother to ask) for permission to upload the password to the WiFi hotspot?
Jane, in the spirit of sharing, says:
[x] Yes, please upload any data from my device that you think might be useful
[_] No, please do not neglect to upload all my data
The database has a large collection of WiFi passwords that were intended to be used by selected users -- such as customers. If the WiFi were intended for the general public, then it would not have required a password.
If we work together, we can cut all homeless people and poor people in half by the end of 2025!
(Score: 2) by Bot on Wednesday April 24 2019, @03:29PM
don't give them ideas...
Account abandoned.
(Score: 4, Touché) by Booga1 on Wednesday April 24 2019, @09:33AM (1 child)
Users: Security is too hard. Make it easier to find free WiFi!
App developers: DONE! Your passwords are now shared with everyone!
I swear, people will trade anything for convenience.
(Score: 2, Funny) by Anonymous Coward on Wednesday April 24 2019, @09:55AM
You forget,
3. scanner find database online
4. "security expert" informs developer no shared password used to access DB
5. dev confused because data is public anyway by #1/#2
6. clueless make headlines and shutdown app
7. #1 users "OMG"
(Score: 3, Interesting) by DannyB on Wednesday April 24 2019, @01:52PM (5 children)
So having that massive database of WiFi passwords would have been okay if it weren't left exposed to public view?
If we work together, we can cut all homeless people and poor people in half by the end of 2025!
(Score: 2) by janrinok on Wednesday April 24 2019, @05:49PM (4 children)
I'm not sure if the uploading of data to the cloud was meant to be known, or whether the intention was to limit it to retrieving data that an individual had uploaded personally. This could either have been an attempt to gather router passwords for purposes that can only be guessed at, or whether it was simply poorly written software without thought to the security of the data collected.
The database has now been shutdown and the app withdrawn, which is unfortunate in some ways. How will anyone know if their router has been compromised and thus should change their passwords? As ever, play safe and change it anyway.
[nostyle RIP 06 May 2025]
(Score: 2) by DannyB on Wednesday April 24 2019, @06:32PM (2 children)
I agree with your other posts here that the WiFi passwords were intended to be used only by the people they were issued to. They didn't expect those people to share them. If the WiFi had been intended to be used by all, it wouldn't have had a password. Example: a hotel WiFi.
You point out a bigger implication I hadn't even thought of. How are all of the WiFi owners whose passwords appeared in this database to be made aware of this? They have no idea they might need to change their password.
If this database had not been publicly exposed, those WiFi owners might never realized they are getting increased use of their WiFi from non-customers. Not everyone will have a sophisticated enough system to issue unique passwords to each customer that are good for X number of days.
If we work together, we can cut all homeless people and poor people in half by the end of 2025!
(Score: 0) by Anonymous Coward on Wednesday April 24 2019, @07:13PM
You can change a password before it is compromised.
(Score: 2) by kazzie on Wednesday April 24 2019, @10:28PM
Many small hotels and coffee shops set a password on their "free" wifi, then post said password on the wall for all their customers to read and use.
(It's to discourage passers-by from lingering in the street to get free internet access, I guess.)
(Score: 0) by Anonymous Coward on Wednesday April 24 2019, @07:16PM
I think it sounds like a great App. A BugMeNot for wifi.
(Score: 0) by Anonymous Coward on Wednesday April 24 2019, @06:13PM
If you're under the impression WPS gives you any real control over access you're a fool. Use Enterprise if you want access control. If you're a business, you should have a captive portal at the very least, and your public WiFi should be segregated from business network. PSK aren't security for your internet connection - they prevent replay attacks.
(Score: 3, Interesting) by All Your Lawn Are Belong To Us on Thursday April 25 2019, @02:51PM
How did this differ from Wi-Fi Sense [lifewire.com] in Windows 10, except that the programmers were sloppy enough to let the database be crackable?
And I wonder if the app required an opt-in to share a given password or if it took all known passwords to be fair game? The latter might not be right, but the former would be all on the user's fault for sharing passwords they shouldn't be....
This sig for rent.