Lenovo ShareIT App Secured By ‘12345678’ Password
File-sharing app safeguarded by world’s worst password, as Chinese PC maker rushes out security fixes
Lenovo is once again at the centre of a security scare, after it issued patches for serious vulnerabilities in its free SHAREit application.
The SHAREit file-sharing application is available for Android, Microsoft Windows, Windows Phone and iOS and allows Lenovo users to share files and folders across tablets, smartphones, and personal computers, without the need for USB sticks or email attachments.
Schoolboy Error
The application is free of charge to Lenovo users, but Core Security discovered last October multiple vulnerabilities with the Android and Windows versions of the application.
“Lenovo SHAREit for Windows and Android are prone to multiple vulnerabilities which could result in integrity corruption, information leak and security bypasses,” Core said in its advisory.
Perhaps the most serious vulnerability patch is CVE-2016-1491. The problem here will infuriate security professionals who have been warning about weak passwords for years now.
Core Security discovered that whenever SHAREit for Windows is configured to receive files, a Wi-Fi hotspot is set with a ridiculously easy password. The password is 12345678. And to make matters worse, this password is hardcoded and cannot be changed for a more secure password.
The second vulnerability (CVE-2016-1492), is perhaps even more alarming. This only applies to SHAREit for Android, and shockingly no password at all is used to protect the Wi-Fi hotspot when the app is configured to receive files.
The third vulnerability (CVE-2016-1490) is related to the weak Windows password. “When the Wi-Fi network is on and connected with the default password (12345678), the files can be browsed but not downloaded by performing an HTTP Request to the WebServer launched by Lenovo SHAREit,” wrote Core Security.
The fourth and final vulnerability (CVE-2016-1489) concerns both Windows and Android versions and is to do with how files are transferred via HTTP without encryption.
“The files are transferred via HTTP without encryption,” said Core Security. “An attacker that is able to sniff the network traffic could to view the data transferred or perform man in the middle attacks, for example by modifying the content of the transferred files.”
Security Scares
The patches for these vulnerabilities are not the first time that Lenovo has been at the centre of a security concern.
Almost a year ago Lenovo’s brand reputation took a serious hit when it was revealed that its laptops came with preinstalled adware that hijacked search results in favour of Lenovo’s business.
The adware, called Superfish, used a self-signed root certificate which allowed it to collect users’ data from web browsers. The certificate allowed the software to drop advertisements into browser sessions secretly.
The discovery prompted uproar and Lenovo pledged not to install the adware on new machines.
A rootkit-like utility was also discovered on Lenovo machines in August, according to security expert Graham Cluley. Two privilege escalation vulnerabilities were also apparently found a few months later.
Think you know about Lenovo? Take our quiz here!