Lenovo's ShareIt has Default Password "12345678"
Posted by: Timothy Weaver on 03/02/2016 06:19 AM
[
Comments
]
Lenovo publishes four fixes in an advisory that affects ShareIT for Android 3.0.18 and Windows 2.5.1.1. ShareIT is a free Lenovo application that lets users share files and folders between computers, smartphones and tablets.
The first security update (CVE-2016-1491) fixes a hard-coded password flaw affecting Windows that leaves WiFi hotspots open to exploitation.
"When Lenovo ShareIT for Windows is configured to receive files, a WiFi hotspot is set with an easy password (12345678). Any system with a WiFi network card could connect to that hotspot by using that password. The password is always the same," explained the advisory.
The second flaw also involves the hard coded password 12345678. Files can be sifted through with a simple HTTP request when the WiFi network is on and connected using the default password. That flaw is CVE-2016-1490.
The third flaw (CVE-2016-1489) fixes a fault that left files transferred in ShareIT without encryption. "An attacker that is able to sniff the network traffic could view the data transferred or perform man-in-the-middle attacks, for example by modifying the content of the transferred files," the advisory said.
And the fourth flaw (CVE-2016-1492) would allow a hacker to log into a hotspot and capture data transferred between connected devices. A hotspot connection could be done without the use of a password.
Core Security revealed that the problems were reported to Lenovo in October, and the fixes were finally rolled out on 25 January.
Source: Computing.Co.Uk.
The first security update (CVE-2016-1491) fixes a hard-coded password flaw affecting Windows that leaves WiFi hotspots open to exploitation."When Lenovo ShareIT for Windows is configured to receive files, a WiFi hotspot is set with an easy password (12345678). Any system with a WiFi network card could connect to that hotspot by using that password. The password is always the same," explained the advisory.
The second flaw also involves the hard coded password 12345678. Files can be sifted through with a simple HTTP request when the WiFi network is on and connected using the default password. That flaw is CVE-2016-1490.
The third flaw (CVE-2016-1489) fixes a fault that left files transferred in ShareIT without encryption. "An attacker that is able to sniff the network traffic could view the data transferred or perform man-in-the-middle attacks, for example by modifying the content of the transferred files," the advisory said.
And the fourth flaw (CVE-2016-1492) would allow a hacker to log into a hotspot and capture data transferred between connected devices. A hotspot connection could be done without the use of a password.
Core Security revealed that the problems were reported to Lenovo in October, and the fixes were finally rolled out on 25 January.
Source: Computing.Co.Uk.
Comments
