What do you expect a tech giant to protect your backdoor security with?
Holy Cow! Itβs β12345678β as aHard-Coded Password.
Yes, Lenovo was using one of the most obvious, awful passwords of all time as a hard-coded password in its file sharing software SHAREitthat could be exploited by anyone who can guess β12345678β password.
The Chinese largest PC maker made a number of headlines in past for compromising its customers security.
It had shipped laptops with the insecure SuperFish adware, it was caught using Rootkit to secretly install unremovable software, its website was hacked, and it was caught pre-installing Spyware on its laptops. Any of these incidences could have been easily prevented.
Now, Research center of Core Security** CoreLabs** issued an advisory on Monday that revealed several software vulnerabilities in Lenovo SHAREit app for Windows and Android that could result in:
SHAREit is a free file sharing application that is designed to allow people to share files and folders from Android devices or Windows computers over a local LAN or through a Wi-Fi hotspot thatβs created.
All the vulnerabilities were remotely exploitable and affected the Android 3.0.18_ww and Windows 2.5.1.1 versions of SHAREit.
Hereβs the list of four vulnerabilities:
The first vulnerability (CVE-2016-1491) would make you scream⦠How Dare You!
Lenovo was using β12345678β as a hard-coded password in SHAREit for Windows that has been awarded the title of the Third Worst Password of 2015 by the password management firm SplashData.
Hereβs what Core Security researchers explain:
> βWhen Lenovo SHAREit for Windows is configured to receive files, a Wi-Fi HotSpot is set with an easy password (12345678). Any system with a Wi-Fi Network card could connect to that Hotspot by using that password. The password is always the same.β
This is ridiculous especially when the passwords in any application are hard-coded and unchangeable by an average user, putting its consumers and their data at risk.
However, the issue got worse when the second vulnerability(CVE-2016-1492) came into play. In the second flaw, that applied only to SHAREit for Android, an open WiFi hotspot is created without any password when the app is configured to receive files.
This could have allowed an attacker to connect to that insecure WiFi hotspot and capture the data transferred between Windows and Android devices.
Also Read: Password Security β Whoβs to Blame for Weak Passwords? Users, Really?
This didnβt end here. Both Windows and Android were open to the third flaw(CVE-2016-1489) that involved the_ transfer of files via HTTP without encryption_.
This allowed hackers to sniff the network traffic and view the data transferred or perform Man-in-the-Middle(MitM) attacks in order to modify the content of the transferred files.
Finally, the last but not the least, fourth vulnerability (CVE-2016-1490) discovered by CoreLabs relates to the remote browsing of file systems within Lenovo ShareIt and builds upon the default 12345678 Windows password issue reported above.
> βWhen the Wi-Fi network is on and connected with the default password (12345678), the files can be browsed but not downloaded by performing an HTTP Request to the WebServer launched by Lenovo SHAREit,β says the advisory.
The researchers at Core Security privately reported the flaws to Lenovo back in October last year, but the tech giant took three months to patch the flaws.
Patches for both Android as well as Windows phone are made available on the Google Play Store and here, respectively. So, SHAREit users are advised to update their apps as soon as possible.