Researchers at Core Security posted an advisory that listed four vulnerabilities in Lenovo’s ShareIT function that could result in man-in-the-middle attacks, information leaks and the bypassing of encryption.
ShareIT is a free Lenovo application that lets users share files and folders between computers, smartphones and tablets.
The flaws affect ShareIT for Android 3.0.18 and Windows 188.8.131.52. Other products and versions may also be affected, but they were not tested.
The first security update (CVE-2016-1491) fixes a hard-coded password flaw affecting Windows that leaves WiFi hotspots open to exploitation.
“When Lenovo ShareIT for Windows is configured to receive files, a WiFi hotspot is set with an easy password (12345678). Any system with a WiFi network card could connect to that hotspot by using that password. The password is always the same,” explained the advisory.
Source: New feed