Previous Story
Lenovo fixes hard-coded password in file-sharing utility
Posted On Jan 27 2016
Comment: Off
Lenovo has been forced to release urgent software fixes after a number of embarrassing flaws were uncovered in its products, including one that left a hard-coded password set to “12345678” by default.
Earlier this week, Core Security shared an advisory calling out a severe security threat in Lenovo’s ShareIt program for Windows and Android. According to the researchers, Lenovo SHAREit version for Android 3.0.18_ww and Lenovo SHAREit version for Windows 2.5.1.1 were found to have multiple vulnerabilities which could result in integrity corruption, information leak and security bypasses.
Lenovo chose to use a hard-coded password for the Wi-Fi hotspot, meaning that you, the user, can’t change it. And every version of SHAREit uses the same password. The app lets users share files between their phone, tablet, laptop, and desktops, and uses a series of predestined folders to move files around, similarly to how Dropbox works.
According to researchers Core Security, though, the application has four vulnerabilities including the password fail. This basically meant that anyone could connect to the hotspot just by taking a relatively straightforward guess as to what the password might be. “The password is always the same”, said an advisory notice from Core. Attackers could browse files on the computer that runs the WiFi hotspot by sending specific HTTP requests to a Web server that the app has also secretly opened.
Lenovo has been forced to issue a security update to its file-sharing app, after setting it up with the password “12345678”. “An attacker that is able to sniff the network traffic could to view the data transferred or perform man in the middle attacks, for example by modifying the content of the transferred files”. As you read on at The Inquirer the story gets even better, files are transferred in the clear without any encryption and it even creates an open WiFi hotspot for you, to make sharing your files even easier for all and sundry.
“Following industry best practice, Lenovo has made available updated versions of SHAREit which fix and eliminate these vulnerabilities in advance of this disclosure”, said a spokesperson for the company.
