[ad_1]
Thousands of users of an application called WiFi Finder, whose stated purpose is, of course, to locate and provide the identity information of WiFi public access points, inadvertently submitted their own words of Wi-Fi goes home to the database of the application, which discloses online.
The sigh.
TechCrunch reported Monday that the app, which seems to be based in China, because it's of course, has been used by more than 100,000 people to collect more than 2 million WiFi passwords in the world. The database includes network names (SSID), precise geolocation, and plain text * passwords, among other data.
The application allows users to download lists of stored WiFi passwords, but it does not have a mechanism to differentiate public access points from home networks. In the United States, thousands of users alone have apparently not noticed anything, not to mention the obvious failures of the developer of the application.
The database itself was discovered by Sanyam Jain, a security researcher and member of the GDI Foundation, TechCrunch reported.
For more than two weeks, Jain and security reporter Zack Whittaker tried to contact the company behind the application, listed as "Proofusion" on Google Play. They failed. Finally, the cloud host DigitalOcean intervened and put the database offline.
Although the potential consequences of this operation are extreme, they are probably minimized by the fact that attackers should individually target the households contained in the database. (Although this is more likely because of the geolocation data exposed by the database.)
In theory, an attacker could use the credentials to manipulate router settings, intercept connections, spread malware over a network, and take control of smart home devices, such as security cameras. The career cybercriminals would probably find this process tedious, though. Nowadays, it is much easier to spam a single malicious link to a few million users to find out who is taking the bait.
The horrible thing is that many people continue to download apps developed by companies that are unknown to anyone, giving them access to all kinds of personal information about themselves and others.
The download of WiFi Finder, for example, forced users to give up access to their location, to the full list of contacts (phone numbers and email accounts of all their friends and family members, and in some cases on their birthdays and social network profiles), as well as, for example. no particular reason, the ability to read, edit and delete data on their phones.
If you did not know it already, do not use applications that request these permissions.
Google Play is in itself a total shitshow and one of the easiest ways to quickly spread malware to incompetent masses. Researchers in January, for example, discovered that 9 million Android owners had been infected with dozens of malicious apps. A month earlier, another group of researchers had discovered that 22 apps downloaded more than 2 million times had secretly opened tiny browser windows and repeatedly clicked on ads, draining users' batteries. And last month, Google removed some 200 apps infected with adware downloaded nearly 150 million times. The list continues.
It is true that reputable big companies can also disclose or simply intentionally misuse user data (if you have installed a Facebook product on your phone, be blessed with the heart), users can reduce their risk of being fooled by someone else. malicious program and / or unreliable application by taking a moment to (at least) Google the developer's name of the application, such as when selecting a mechanic, an electrician or anyone who offered you to to offer you any service.
You should be particularly skeptical when a service is offered to you for free. If a random person offered to repair the breaks on your car for free, you would refuse (I hope). Downloading a random application with this level of access to your data is virtually no different than unlocking your phone and handing it to an unknown at the mall.
Just take a quick look at WiFi Finder's short privacy policy, which includes a link to an "Application Privacy Policy Generator" (lol), to realize that the risk of a problem is very high. So please, for the sake of God, practice an ounce of common sense.
[TechCrunch]
[ad_2]
Source link