This should come as no surprise, but it still sucks big-time: thousands of people who downloaded a random, very popular app called WiFi Finder found that it got handsy with users’ own home Wi-Fi, uploading their network passwords to a database full of 2 million passwords that was found exposed and unprotected online.
The leaked database was discovered by Sanyam Jain, a security researcher and a member of the GDI Foundation who reported his find to TechCrunch. Jain and TechCrunch’s Zack Whittaker spent more than two weeks fruitlessly trying to contact the developer, who they believe is based in China.
Receiving no reply, they instead turned to the host, DigitalOcean, which yanked the database within a day of their contact.
According to the app’s Google Play listing, it’s been installed more than 100,000 times.
The app does what it says it does: it searches for nearby hotspots, maps them, and enables users to upload all their stored Wi-Fi passwords. Unfortunately, in spite of what the app developer – Proofusion – claims, WiFi Finder doesn’t differentiate between public hotspots and what Whittaker says are the “countless” home Wi-Fi networks found by TechCrunch and Jain.
The exposed database didn’t give away contact information for any of the Wi-Fi network owners, but it did include geolocation data. The geolocations often corresponded to what look like wholly residential areas where there don’t appear to be any businesses, suggesting that the logins are for home networks.
WiFi Finder doesn’t require users to get network owner permission, leaving the door open for unauthorized access. An attacker could tweak router settings, could redirect network users to malicious websites by changing the DNS server, and could read any unencrypted traffic carried by the wireless network, enabling them to steal passwords and eavesdrop on communications.
Read those permissions!
WiFi Finder is a glaring example of how much security and privacy we all too often blithely hand over to an app that doesn’t deserve our trust. If you dig into the permissions it requests, you’ll find that it wants users to give it access to locations, full contact lists – including phone numbers and email accounts of all your friends, family, colleagues and whoever else is in that powerful hand warmer – plus the puzzlingly powerful ability to read, modify and delete data on your phone.
But why? That, unfortunately, is the question that we don’t get around to asking when we don’t bother to read app permissions.
Google has been trying to clean up the hot mess of bad apps in the Play store – a hot mess that, for example, saw 9m Androids infected with malware back in January, when Google removed 85 apps that were purportedly TV and video players and controllers but which would consistently show full-screen ads until they crashed, bringing in profitable ad impressions for the developers but nada for the victims.
We’re better off if we don’t solely depend on Google to strain out all the bad appery. By Google’s own calculations, only 0.09% of devices accessing the Play store were carrying malware as of January, but at 1.8 million phones, that’s nothing to sneeze at.
Make sure to check out app reviews and permissions to see what they’re up to before downloading. The majority of app developers may well have hearts of gold and the smarts to protect sensitive databases, but that still leaves plenty of random bulls in the china shop.
Code Execution Vulnerability Identified in Change Healthcare Cardiology DevicesA vulnerability has been identified in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices. The vulnerability could be exploited by a locally authenticated...
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most Targeted
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most TargetedThe digital and network footprint of small businesses is continually growing. Online commerce, social media, remote workers, and cloud-based IT infrastructure are...
What Other Companies Can Learn from Facebook’s $5 Billion Fine and Why Privacy MattersWhile Facebook’s $5 billion settlement stands as the largest fine in the history of the Federal Trade Commission (FTC), one must take into consideration that not every company is...
Stay Up to Date With The Latest News & Updates
Join Our Newsletter
Get weekly tech updates and immediate alerts when there is a zero-day or security issue!