Lenovo has been forced to issue a security update to its file-sharing app, after setting it up with the password "12345678".
The SHAREIt software is bundled in with many of Lenovo's Windows and Android devices, and enables users to share files between PCs, smartphones and tablets.
According to researchers Core Security, though, the application has four vulnerabilities including the password fail.
"When Lenovo SHAREit for Windows is configured to receive files, a Wi-Fi HotSpot is set with an easy password (12345678). Any system with a Wi-Fi Network card could connect to that Hotspot by using that password. The password is always the same," said an advisory notice from Core.
The defect (CVE-2016-1491) affects ShareIT for Android 3.0.18 and Windows 2.5.1.1. Other products and versions may also be involved, but they were not tested.
Another flaw (CVE-2016-1490) affects remote browsing of file-sharing in the app, explained Core.
"When the Wi-Fi network is on and connected with the default password (12345678), the files can be browsed but not downloaded by performing an HTTP Request to the Web Server launched by Lenovo SHAREit," said the firm in the same advisory.
A third flaw (CVE-2016-1489) sees files transferred in plain text. "An attacker that is able to sniff the network traffic could view the data transferred or perform man-in-the-middle attacks, for example by modifying the content of the transferred files."
A fourth problem with the app is that an attacker could connect to a wireless network set up by the app and "capture the information transferred between those devices". An open wireless network could be created without any password.
The IT security firm said it had alerted Lenovo about the problems in October, but Lenovo has only just issued a patch to fix the multiple problems.
As reported previously by IT Pro, Lenovo urged users in December to uninstall its own software to fix a flaw in its software that monitors a system's health. Researchers also found a vulnerability in Lenovo's System Update service in May last year.
It was also forced to apologise to customers after shipping some hardware carrying bloatware dubbed Superfish, which had a serious flaw that could leave computers open to hackers.
-
What does modern security success look like for financial services?Sponsored As financial institutions grapple with evolving cyber threats, intensifying regulations, and the limitations of ageing IT infrastructure, the need for a resilient and forward-thinking security strategy has never been greater
-
Yes, legal AI. But what can you actually do with it? Let’s take a look…Sponsored Legal AI is a knowledge multiplier that can accelerate research, sharpen insights, and organize information, provided legal teams have confidence in its transparent and auditable application
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Scania admits leak of data after extortion attemptNews Hacker stole 34,000 files from a third-party managed website, trucking company says
-
Amazon confirms employee data compromised amid 2023 MOVEit breach claims – but the hacker behind the leak says a host of other big tech names are also implicatedNews Millions of records stolen during the 2023 MOVEit data breach have been leaked
-
Nearly 70 software vendors sign up to CISA’s cyber resilience programNews Major software manufacturers pledge to a voluntary framework aimed at boosting cyber resilience of customers across the US
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolenCapita told the pension provider to “work on the assumption” that data had been stolen
-
Lenovo patches ThinkPad, Yoga, IdeaPad UEFI secure boot vulnerabilityNews Mistakenly used drivers could allow hackers to modify the secure boot process
-
IT Pro News in Review: Vulnerable Lenovo laptops, record EE 5G speeds, Okta ends LAPSUS$ probeVideo Catch up on the biggest headlines of the week in just two minutes
-
Lenovo ThinkPads vulnerable to privilege escalation exploit, researchers warnNews A component running on the popular business computers is vulnerable to a chained exploit that grants full access to attackers
