• A WiFi hotspot finder and password sharing app have leaked 2 million passwords.
  • The leak occurred through an unprotected database, which was taken down by the hosting service.
  • The developer has not responded to the finding yet and has shown characteristic irresponsibility in overall.

WiFi Finder, which according to the Play Store has had over a hundred thousand installations so far, has just leaked two million WiFi network passwords. The way that they did that was by storing all passwords that were logged by the app users on an unprotected online database. The worst part is that the sensitive information was stored in plaintext form, so it was perfectly readable by anyone who accessed the database. Now, this says something about the people responsible for handling the WiFi Finder sensitive data.

The discovery was made by security researcher Sanyam Jain, who spent over two weeks trying to contact the WiFi Finder developers, but to no avail. Finally, the host of the database has proven to be more responsive and took it down in less than 24 hours after they were contacted and informed of the problem. The user data entries consisted of the WiFi network name, the geolocation data, the service set identifier (BSSID) and the password in a readable form. The researcher looked around various samples and deduced that there were both public hotspots and home networks in there.

WiFi Finder is supposed to help people find and share public hotspots for easy internet access, covering 100000 cities from around the globe, and saving you from spending your precious mobile network data. However, and since home networks are also in the database, this is considered a severe leak from a safety standpoint. Having a malicious actor connected to your WiFi network could mean potential traffic interception, messing with your router settings, and even performing advanced phishing through DNS manipulation. So, what needs to be done now is to change the WiFi passwords of all the networks that have been exposed through the unsecured database.

Many of these passwords concern WiFi networks located in the U.S., but of course, the problem is global. While the app has been downloaded by many Android users, it hasn’t managed to establish a good ranking as the average user rating is only 3.8 out of 5, which is below average. With this latest incident, proving the developer’s inability to secure a database, to store sensitive data in encrypted form, and finally to reply to security warnings in a timely manner, I think this rating will get precipitated even further from now on.

Have you been using WiFi Finder? What has been your experience with it? Will you be trusting it again in the future? Let us know where you stand in the comments section below, and don’t forget to help us warn more users out there by sharing this post through our socials, on Facebook and Twitter.