Lenovo used 12345678 as a hard-coded password in SHAREit for Windows

David bisson
David Bisson
@
@DMBisson

Lenovo dumb password
Lenovo has issued fixes for four security issues found in SHAREit for Android and Windows, including the use of “12345678” as a hard-coded password.

On Monday, CoreLabs, the research center of Core Security, issued an advisory about the vulnerabilities.

Each of the issues was remotely exploitable. Together, the four bugs affected the Android 3.0.18_ww and Windows 2.5.1.1 versions of SHAREit, a free application made by Lenovo that allows users to share files and folders across smartphones, tablets, and personal computers.

Lenovo shareit

Sign up to our free newsletter.
Security news, advice, and tips.

The first vulnerability (CVE-2016-1491) is perhaps the most infuriating. CoreLabs discovered that whenever SHAREit for Windows is configured to receive files, this process creates a Wi-Fi hotspot that is ‘protected’ by the password “12345678”.

Not surprisingly, this password just recently earned a top spot on the latest list of worst passwords you could possibly choose.

What is surprising is the fact that Lenovo would incorporate such an insecure password into its application — and one that does not change, no less!

Then again, I suppose the issue could be worse. In the second vulnerability (CVE-2016-1492), which applied only to SHAREit for Android, there is no password set up to protect the Wi-Fi hotspot when the app is configured to receive files.

To be sure, it doesn’t say much when Lenovo could have mitigated two separate vulnerabilities by adhering to the most basic principles of password security.

But moving right along. The third vulnerability (CVE-2016-1490) discovered by CoreLabs builds upon the insecure Windows password issue discussed above:

“When the Wi-Fi network is on and connected with the default password (12345678), the files can be browsed but not downloaded by performing an HTTP Request to the WebServer launched by Lenovo SHAREit.”

Finally, both Windows and Android are susceptible to the fourth bug (CVE-2016-1489), which involves the transfer of files via HTTP without encryption, thereby allowing an attacker to perform man-in-the-middle (MitM) attacks in order to change the content of a file in transit.

Core Security originally sent a notification to Lenovo back in October of last year. Three months later, patches for both Android (available from the Google Play Store) and for Windows phone (available here) have now been released. It is in the interest of SHAREit users to implement those fixes as soon as possible.

Looking back, there’s no denying it. Lenovo had a tough year when it came to the security of its products.

About a year ago, news first broke of Superfish, the man-in-the-middle adware that affected all PCs produced by the Chinese computer technology company.

Superfish bank of america

Shortly thereafter, the company promised a cleaner and safer PC experience, but that didn’t prevent the discovery of a rootkit-like utility in August and two privilege escalation vulnerabilities a few months later.

Let’s hope Lenovo puts 2015 behind it and has a better year in 2016.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

7 comments on “Lenovo used 12345678 as a hard-coded password in SHAREit for Windows”

  1. coyote

    'including the use of "12345678" as a hard-coded password.'

    Absolutely ridiculous, unacceptable and inexcusable.

    That it could be exploited remotely is even worse.

    There is never an excuse for passwords like that not even decades ago but it absolutely is inexcusable now in 2016 (or if they found the flaws last year 2015 but that doesn't really change the severity and doesn't make it any more excusable).

    Shameful and disgraceful disregard for security.

    1. whatsapp · in reply to coyote

      Dude, that's offline transfer app. no one in the other side of world can attack your information.

  2. Tom

    I have a computer store in Mexico. Until recently I was a huge Lenovo fan and sold enough of them that they sent me on several award trips.

    But they have changed recently. Now I can't add memory to a laptop computer (that I buy with only 2GB) without voiding the warranty. Where I used to have excellent warranty on site, now I have to send the machine to a service center 300 miles from here. On my dime.

    When the Superfish incident happened I was not at all concerned because I knew they were a good company and would look after it and learn from the lesson. Not so much aparrently.

    But this 12345678 password totally blows by all the lowest standards of online security. It's even published on line year after year as the weakest password there is. Does Lenovo not read???

    I'm switching my stock to Dell and HP because of stuff like this

  3. Mark Jacobs

    I'm in the market for some new laptops for our business, and we'd usually get Lenovos. Not this time – we'll be looking at anything but!

  4. Allan Watson

    As soon as I saw the ShareIt logo, I knew I had seen it somewhere. Then it clicked, the top right-hand corner of Microsoft Edge. So, Microsoft include apps in with their products without checking for security issues? Why am I not surprised?

  5. whatsapp

    That's not online security, it's "offline security", SHAERit is offline transfer tool.
    So many open wifi around the world, besides SHAREit hotspot is only active when transfer, normally several seconds or minutes.

    1. Visiman · in reply to whatsapp

      I haven't installed SHAREit but it is a Lenovo computer, so whenever it restarts it pops up to connect to Windows Phone, iOS etc. There is no cancel button on on the application but only a button to NEXT. Is it possible to delete this pop up, I do not want it. The Lenovo computer should not force me to click NEXT one day when I am not careful!

Leave a Reply to whatsapp Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.