The disclosure came in the form of a blog post a week ago by Micah Lee of the Electronic Frontier Foundation.
The backup option on an Android phone is on by default. All app data, Wi-Fi passwords and other settings are backed up to Google servers. And everyone who wants to use services on an Android phone has to have a Google account.
Lee said he had discovered this flaw when he formatted his phone and flashed a stock Android ROM. He then logged into his Google account and found that he had automatically connected to his password-protected wifi.
Lee's discovery assumes additional importance in view of the recent revelations that Google has been feeding users' data to the NSA.
In his bug report, Lee wrote: "The 'Back up my data' option in Android is very convenient. However it means sending a lot of private information, including passwords, in plaintext to Google. This information is vulnerable to government requests for data.
"You could implement this the same way Chrome's sync feature is implemented, with two options: Encrypt synced passwords with your Google credentials; Encrypt all synced data with your own sync passphrase.
"Since backup and restore is such a useful feature, and since it's turned on by default, it's likely that the vast majority of Android users are syncing this data with their Google accounts. Because Android is so popular, it's likely that Google has plaintext wifi passwords for the majority of password-protected wifi networks in the world."