What do you expect a tech giant to protect your backdoor security with?
Holy Cow! It's "12345678" as a Hard-Coded Password.
Yes, Lenovo was using one of the most obvious, awful passwords of all time as a hard-coded password in its file sharing software SHAREit that could be exploited by anyone who can guess '12345678' password.
The Chinese largest PC maker made a number of headlines in past for compromising its customers security.
It had shipped laptops with the insecure SuperFish adware, it was caught using Rootkit to secretly install unremovable software, its website was hacked, and it was caught pre-installing Spyware on its laptops. Any of these incidences could have been easily prevented.
Now, Research center of Core Security CoreLabs issued an advisory on Monday that revealed several software vulnerabilities in Lenovo SHAREit app for Windows and Android that could result in:
- Information leaks
- Security protocol bypass
- Man-in-the-middle (MITM) attacks
Critical Vulnerabilities in SHAREit
SHAREit is a free file sharing application that is designed to allow people to share files and folders from Android devices or Windows computers over a local LAN or through a Wi-Fi hotspot that's created.
All the vulnerabilities were remotely exploitable and affected the Android 3.0.18_ww and Windows 2.5.1.1 versions of SHAREit.
Here's the list of four vulnerabilities:
- Use of Hard-coded Password [CVE-2016-1491]
- Missing Authorization [CVE-2016-1492]
- Missing Encryption of Sensitive Data [CVE-2016-1489]
- Information Exposure [CVE-2016-1490]
The first vulnerability (CVE-2016-1491) would make you scream… How Dare You!
Using '12345678' as Hard Coded Password
Lenovo was using '12345678' as a hard-coded password in SHAREit for Windows that has been awarded the title of the Third Worst Password of 2015 by the password management firm SplashData.
Here's what Core Security researchers explain:
"When Lenovo SHAREit for Windows is configured to receive files, a Wi-Fi HotSpot is set with an easy password (12345678). Any system with a Wi-Fi Network card could connect to that Hotspot by using that password. The password is always the same."
This is ridiculous especially when the passwords in any application are hard-coded and unchangeable by an average user, putting its consumers and their data at risk.
Other Critical Flaws Left Millions of Users at Risk
However, the issue got worse when the second vulnerability (CVE-2016-1492) came into play. In the second flaw, that applied only to SHAREit for Android, an open WiFi hotspot is created without any password when the app is configured to receive files.
This could have allowed an attacker to connect to that insecure WiFi hotspot and capture the data transferred between Windows and Android devices.
This didn't end here. Both Windows and Android were open to the third flaw (CVE-2016-1489) that involved the transfer of files via HTTP without encryption.
This allowed hackers to sniff the network traffic and view the data transferred or perform Man-in-the-Middle (MitM) attacks in order to modify the content of the transferred files.
Finally, the last but not the least, fourth vulnerability (CVE-2016-1490) discovered by CoreLabs relates to the remote browsing of file systems within Lenovo ShareIt and builds upon the default 12345678 Windows password issue reported above.
"When the Wi-Fi network is on and connected with the default password (12345678), the files can be browsed but not downloaded by performing an HTTP Request to the WebServer launched by Lenovo SHAREit," says the advisory.
Patch Now!
The researchers at Core Security privately reported the flaws to Lenovo back in October last year, but the tech giant took three months to patch the flaws.
Patches for both Android as well as Windows phone are made available on the Google Play Store and here, respectively. So, SHAREit users are advised to update their apps as soon as possible.