Lenovo has issued updates to address a hard-coded password flaw and other security issues with its file sharing utility SHAREit.
Lenovo has addressed a serious flaw in its PC and Android versions of SHAREit, which enabled anyone on a LAN or wireless hotspot to potentially view and copy files from another computer or device running the SHAREit application. Though that was always the intention of the application — to make file sharing painless — it was probably not intended to be so open to anyone.
The flaw was down to a hard-coded password that authenticated users and allowed them to connect to any other computer on a LAN or wireless connection running SHAREit and view and even download files. The password that was embedded in the code “12345678”, was discovered by security firm Core Security, which informed Lenovo back in October 2015. In addition to being hard-coded the password was also persistent, in that it could not be changed by the user.
However, Lenovo’s security lapses were not confined to such a poor practice as hard-coding a persistent password that the user was unable to change, they also managed on the Android versions to have no password at all, which allowed any Android device to connect on a Wi-FI connection at will.
Furthermore, Core Security also discovered other security flaws, such as files were transferred using HTTP without any encryption making them vulnerable to eavesdropping or man in the middle attacks.
Lenovo has made several changes to SHAREit. The vulnerable SHAREit versions are the Android 3.0.18_ww and Windows 18.104.22.168 packages. Lenovo has since updated versions for Windows is 3.2.0 and 3.5.38_ww for Android. Windows users should see a prompt to update the next time the application is opened.