Lenovo makes security blunder with 12345678 password

Password label

Lenovo has been forced to issue a security update to its file-sharing app, after setting it up with the password "12345678".

The SHAREIt software is bundled in with many of Lenovo's Windows and Android devices, and enables users to share files between PCs, smartphones and tablets.

According to researchers Core Security, though, the application has four vulnerabilities including the password fail.

"When Lenovo SHAREit for Windows is configured to receive files, a Wi-Fi HotSpot is set with an easy password (12345678). Any system with a Wi-Fi Network card could connect to that Hotspot by using that password. The password is always the same," said an advisory notice from Core.

The defect (CVE-2016-1491) affects ShareIT for Android 3.0.18 and Windows Other products and versions may also be involved, but they were not tested.

Another flaw (CVE-2016-1490) affects remote browsing of file-sharing in the app, explained Core.

"When the Wi-Fi network is on and connected with the default password (12345678), the files can be browsed but not downloaded by performing an HTTP Request to the Web Server launched by Lenovo SHAREit," said the firm in the same advisory.

A third flaw (CVE-2016-1489) sees files transferred in plain text. "An attacker that is able to sniff the network traffic could view the data transferred or perform man-in-the-middle attacks, for example by modifying the content of the transferred files."

A fourth problem with the app is that an attacker could connect to a wireless network set up by the app and "capture the information transferred between those devices". An open wireless network could be created without any password.

The IT security firm said it had alerted Lenovo about the problems in October, but Lenovo has only just issued a patch to fix the multiple problems.

As reported previously by IT Pro, Lenovo urged users in December to uninstall its own software to fix a flaw in its software that monitors a system's health. Researchers also found a vulnerability in Lenovo's System Update service in May last year.

It was also forced to apologise to customers after shipping some hardware carrying bloatware dubbed Superfish, which had a serious flaw that could leave computers open to hackers.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.