WiFi Hotspot App Leaks 2M Passwords, Many Residential

An app designed to make it easier to get on public WiFi has accidentally exposed more than two million WiFi passwords. It appears to be a case of terrible design, rather than pure malice by the app designers.

The app is called "WiFi Finder - connect to hotspots" and is listed on the Google Play store as having more than 100,000 downloads.

In theory the app is part of a project to make using WiFi on the move more convenient. It's designed to be a massive database to which users can add public WiFi networks and the relevant passwords.

For example, visitors to a coffee store could add the password to the database, regardless of whether or not the owners of the store wanted the WiFi password made publicly available. In principle it's no different than somebody telling a friend the password - just that it's done on a much larger scale.

Password Database Exposed

The problem is that the database which powers the app turns out to be publicly available, most likely because the app developers didn't think the security through. To make things worse, the database lists not just the specific location and network names of each WiFi hotspot, but also the password in unencrypted text.

Security researcher Sanyam Jain worked with TechCrunch to examine the database and discovered that many of the networks were located in residential areas. That strongly suggested they were home WiFi networks, rather than ones which are designed to be accessible by customers of a store or the public in general. (Source: techcrunch.com)

It doesn't look like it's a case of people being dumb enough to intentionally and manually add their own network details and password to the hotspot database. Instead, users are offered the chance to simply upload all the saved network details on their device, which is then stored in the database.

No Filter For Home Networks

It seems that most users assumed the app would be designed to filter the device WiFi list somehow and only add the details for networks that are designed to be partially or fully accessible to the public (such as coffee shops, for example). Unfortunately, that's not the case. (Source: gizmodo.com)

Users of the app can't escape the blame completely, however. The app not only requested permission to access the WiFi network details, but also a bunch of information that was in no way relevant or necessary to the app, including a request for the user's personal contact list.

What's Your Opinion?

Does this sound like an intentional scam or poor app design? Is it reasonable to expect Google to have blocked an app like that given its potential flaws? Should - and could - phones be designed to be more explicit when it comes to warning of the dangers of sharing sensitive information, or is it the user's responsibility?