A popular public Wi-Fi hotspot finder application had left its database of Wi-Fi network credentials, including geolocation and login credentials, connected to the internet, and without any form of protection. The issue, spotted by security researcher Sanyam Jain and reported by TechCrunch, has been seemingly resolved since brought to light, and the database host has taken down all the data in a bid to prevent a potential cyber catastrophe.
However, the latest incident marks a series of similar lapses in reasonable cyber security steps that are expected of services, with databases left online without any form of encryption, or even a password. The app in question is meant for sharing public Wi-Fi hotspots while users connect to it, and automatically uploads such passwords to an online database. However, while uploading public network credentials, the app also uploaded a large set of private network data, complete with login credentials and geolocation details to the server.
To make things worse, all of this, along with each network’s BSSID (basic service set identifier), which can be used to identify and track down a network, was uploaded online and stored in plain text, making it available for anyone to read. The security implications are ominous, for any user with malicious intent can tap into the data, modify router settings and redirect users into genuine-looking sites ridden with all forms of malware, which could in turn lead into phishing or ransomware attacks.
Thankfully, there were no private contact details included within the database. This marks yet another close shave in terms of severe personal data damage, and another win for white hat cyber security researchers in the endless saga of cyber warfare.