Earlier this week, Core Security shared an advisory calling out a severe security threat in Lenovo’s ShareIt program for Windows and Android. The app, which allows you to share files between PCs and mobile devices, had a hard-coded password that is the same on every device when it sets up a Wi-Fi Hotspot to receive files. Not only that, it’s a pretty terrible password too: 12345678. That’s the kind of password an idiot would have on his luggage.
Thankfully, Lenovo has patched the issue, so if you’re using ShareIt Android version 3.0.18_ww or Windows version 220.127.116.11, make sure it’s up to date.
According to Core Security, the flaw meant that if you could connect to the Hotspot over a WiFi connection and input the simple password, you’d be able to browse the file system of the device remotely by performing an HTTP request to the WebServer. Files were also transferred via HTTP without encryption, meaning data could be viewed as it was transferred, and also allowing man in the middle attacks.
This is the second time in 12 months that Lenovo has had to fix big security flaws. In February last year, its laptops came pre-installed with the Superfish software that made the hardware vulnerable to all sorts of attacks.