Lenovo users are being urged to patch their machines after researchers released details of several vulnerabilities in the firm’s ShareIT app which could allow hackers to view and steal victims’ documents.
Core Security published details on its findings on Monday after a private disclosure to the Chinese PC giant back in October last year.
ShareIT is a free app from Lenovo which is designed to let users share files between their smartphone, tablet and computer.
The first flaw discovered, CVE-2016-1491, affects Windows machines and means Wi-Fi hotspot access is set at an easy-to-guess password: “12345678.”
“Any system with a Wi-Fi Network card could connect to that Hotspot by using that password. The password is always the same,” said Core Security in the advisory.
The second flaw, CVE-2016-1490, means that when a machine is logged onto a Wi-Fi hotspot with that hardcoded password, a victim’s files can be browsed but not downloaded by performing an HTTP Request to the web server launched by ShareIT.
Next up comes CVE-2016-1489, which means files are transferred via HTTP with no encryption on Windows machines and Android devices.
“An attacker that is able to sniff the network traffic could view the data transferred or perform man in the middle attacks, for example by modifying the content of the transferred files,” warned Core Security.
Finally, the security firm pointed to CVE-2016-1492, which affects just Android users as follows:
“When the application is configured to receive files, an open Wifi HotSpot is created without any password. An attacker could connect to that HotSpot and capture the information transferred between those devices.”
All four vulnerabilities could result in serious data security issues if not patched.
The affected versions of the file-sharing app are ShareIT for Android 3.0.18_ww and ShareIT for Windows 2.5.1.1 and new versions are available here.
It’s not a great start to 2016 for Lenovo given its trials and tribulations in 2014-15 over the Superfish scandal.