Lenovo has just patched up a piece of its software to remove major security flaws which included a rather unbelievable password blunder.
By now, we're all used to the regular articles about how Joe Public's password practices are terrible, but you wouldn't expect a computing giant like Lenovo to use a default password for an app which made the worst passwords of 2015 list.
Unfortunately, as Core Security spotted, that's exactly what Lenovo did with its ShareIt app for Windows and Android, a program that allows file sharing between PCs and phones/tablets, and had a default password which is the same for every user when it sets up a Wi-Fi hotspot in order to facilitate the transfer of files.
And that default password was: '12345678'. Which just happens to be third place on the latest stupid password list (only bested by the slightly less secure because it's shorter '123456', and that old chestnut 'password').
In other words, anyone could connect to the hotspot via a device with Wi-Fi, either knowing the password was this, or simply by guessing the password given its eminently guessable nature, and subsequently view the files (via an HTTP Request to the web server launched by the program).
No encryption
Core Security also noted that the files being shared were transferred via HTTP with no encryption used, a further vulnerability which is obviously bad news and could potentially allow an attacker to view the data being transferred.
However, as we said at the outset, the good news is that all this has now been changed with the latest patch – so if you use ShareIt, do make sure you update to the latest version.
ShareIt is used for quick and convenient file sharing by some 30 million folks across the world.
Via: PC Gamer
- Also check out: Why is your password still password?
No comments:
Post a Comment