Lenovo has issued fixes for four security issues found in SHAREit for Android and Windows, including the use of “12345678” as a hard-coded password.
On Monday, CoreLabs, the research center of Core Security, issued an advisory about the vulnerabilities.
Each of the issues was remotely exploitable. Together, the four bugs affected the Android 3.0.18_ww and Windows 220.127.116.11 versions of SHAREit, a free application made by Lenovo that allows users to share files and folders across smartphones, tablets, and personal computers.
The first vulnerability (CVE-2016-1491) is perhaps the most infuriating. CoreLabs discovered that whenever SHAREit for Windows is configured to receive files, this process creates a Wi-Fi hotspot that is ‘protected’ by the password “12345678”.
Not surprisingly, this password just recently earned a top spot on the latest list of worst passwords you could possibly choose.
What is surprising is the fact that Lenovo would incorporate such an insecure password into its application — and one that does not change, no less!
Then again, I suppose the issue could be worse. In the second vulnerability (CVE-2016-1492), which applied only to SHAREit for Android, there is no password set up to protect the Wi-Fi hotspot when the app is configured to receive files.
To be sure, it doesn’t say much when Lenovo could have mitigated two separate vulnerabilities by adhering to the most basic principles of password security.
But moving right along. The third vulnerability (CVE-2016-1490) discovered by CoreLabs builds upon the insecure Windows password issue discussed above:
“When the Wi-Fi network is on and connected with the default password (12345678), the files can be browsed but not downloaded by performing an HTTP Request to the WebServer launched by Lenovo SHAREit.”
Finally, both Windows and Android are susceptible to the fourth bug (CVE-2016-1489), which involves the transfer of files via HTTP without encryption, thereby allowing an attacker to perform man-in-the-middle (MitM) attacks in order to change the content of a file in transit.
Core Security originally sent a notification to Lenovo back in October of last year. Three months later, patches for both Android (available from the Google Play Store) and for Windows phone (available here) have now been released. It is in the interest of SHAREit users to implement those fixes as soon as possible.
Looking back, there’s no denying it. Lenovo had a tough year when it came to the security of its products.
About a year ago, news first broke of Superfish, the man-in-the-middle adware that affected all PCs produced by the Chinese computer technology company.
Shortly thereafter, the company promised a cleaner and safer PC experience, but that didn’t prevent the discovery of a rootkit-like utility in August and two privilege escalation vulnerabilities a few months later.
Let’s hope Lenovo puts 2015 behind it and has a better year in 2016.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.