Lenovo has been forced to issue a security update to its file-sharing app, after setting it up with the password "12345678".
The SHAREIt software is bundled in with many of Lenovo's Windows and Android devices, and enables users to share files between PCs, smartphones and tablets.
According to researchers Core Security, though, the application has four vulnerabilities including the password fail.
"When Lenovo SHAREit for Windows is configured to receive files, a Wi-Fi HotSpot is set with an easy password (12345678). Any system with a Wi-Fi Network card could connect to that Hotspot by using that password. The password is always the same," said an advisory notice from Core.
The defect (CVE-2016-1491) affects ShareIT for Android 3.0.18 and Windows 2.5.1.1. Other products and versions may also be involved, but they were not tested.
Another flaw (CVE-2016-1490) affects remote browsing of file-sharing in the app, explained Core.
"When the Wi-Fi network is on and connected with the default password (12345678), the files can be browsed but not downloaded by performing an HTTP Request to the Web Server launched by Lenovo SHAREit," said the firm in the same advisory.
A third flaw (CVE-2016-1489) sees files transferred in plain text. "An attacker that is able to sniff the network traffic could view the data transferred or perform man-in-the-middle attacks, for example by modifying the content of the transferred files."
A fourth problem with the app is that an attacker could connect to a wireless network set up by the app and "capture the information transferred between those devices". An open wireless network could be created without any password.
The IT security firm said it had alerted Lenovo about the problems in October, but Lenovo has only just issued a patch to fix the multiple problems.
As reported previously by IT Pro, Lenovo urged users in December to uninstall its own software to fix a flaw in its software that monitors a system's health. Researchers also found a vulnerability in Lenovo's System Update service in May last year.
It was also forced to apologise to customers after shipping some hardware carrying bloatware dubbed Superfish, which had a serious flaw that could leave computers open to hackers.
-
The Race Is On for Higher Ed to Adapt: Equity in Hyflex Learning -
Google faces 'first of its kind' class action for search ads overcharging in UKNews Google faces a "first of its kind" £5 billion lawsuit in the UK over accusations it has a monopoly in digital advertising that allows it to overcharge customers.
-
Amazon confirms employee data compromised amid 2023 MOVEit breach claims – but the hacker behind the leak says a host of other big tech names are also implicatedNews Millions of records stolen during the 2023 MOVEit data breach have been leaked
-
Nearly 70 software vendors sign up to CISA’s cyber resilience programNews Major software manufacturers pledge to a voluntary framework aimed at boosting cyber resilience of customers across the US
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolenCapita told the pension provider to “work on the assumption” that data had been stolen
-
Lenovo patches ThinkPad, Yoga, IdeaPad UEFI secure boot vulnerabilityNews Mistakenly used drivers could allow hackers to modify the secure boot process
-
IT Pro News in Review: Vulnerable Lenovo laptops, record EE 5G speeds, Okta ends LAPSUS$ probeVideo Catch up on the biggest headlines of the week in just two minutes
-
Lenovo ThinkPads vulnerable to privilege escalation exploit, researchers warnNews A component running on the popular business computers is vulnerable to a chained exploit that grants full access to attackers
-
Gumtree site code made personal data of users and sellers publicly accessibleNews Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
-
Pizza chain exposed 100,000 employees' Social Security numbersNews Former and current staff at California Pizza Kitchen potentially burned by hackers
