Lenovo’s SHAREit application has been revealed by a security researcher to use “12345678” as the default, hard-coded password. Besides the incredibly weak password discovered, the researcher was also able to point to a number of other vulnerabilities.
SHAREit is an application commonly found on several Lenovo products including computers such as the ThinkPad, IdeaPad, Yoga and more. The app is also found among Lenovo smartphones and is commonly used to share files across devices by users.
Security firm Core Security revealed in an advisory that it had found four vulnerabilities within the application. The most glaring vulnerability was the password. Essentially, when the application is receiving a file or multiple files, it sets a password on a custom Wi-Fi hotspot. This means that anyone connecting to the hotspot would require to know the password to send the files. As it turned out, the hardcoded password turns out to be easily guessable and is revealed to be “12345678.”
It’s a glaring vulnerability and one that Lenovo took to fixing quickly with an update for the application.
Another SHAREit bug revealed that users could set up Wi-Fi hotspots without a password and could potentially trigger a man in the middle attack by intercepting files being shared between other devices.
“The files are transferred via HTTP without encryption,” wrote the security researchers in their report. “An attacker that is able to sniff the network traffic could to view the data transferred or perform man in the middle attacks, for example by modifying the content of the transferred files.”
The two other vulnerabilities discovered revealed ways in which a malicious threat actor could browse and scan through files and intercept file transfers between Windwos and android devices.
The security team discovered the vulnerabilities as early as October 2015 and disclosed them to Lenovo privately. Since then, Lenovo has patched the vulnerabilities with updates and details for the same are provided on its support page.
“Following industry best practice, Lenovo has made available updated versions of SHAREit which fix and eliminate these vulnerabilities in advance of this disclosure,” a Lenovo spokesman said. “Users can resolve the vulnerability from their devices by updating to the latest version of SHAREit.”
Meanwhile, 12345678 figures among the top ten worst passwords of 2015, as the third worst password of last year.
Image credit: Wikimedia.