SHAREit is an app found on many of Lenovo’s products to allow users to share files across devices. Some ThinkPad, and IdeaPad computers, along with Lenovo smartphones, were impacted by the bug.
Core Security found four vulnerabilities in the app but the password issues stick out the most. In one of its advisories, Core Security found that when the app is receiving files, it sets a password (in this case “12345678”) on a Wi-Fi hotspot. This meant someone could access the hotspot by guessing the password, which always stayed the same, according to Core.
“This is an example of an external hard-coded password on the client-side of a connection. This code will run successfully, but anyone who has access to it will have access to the password,” the advisory said. The vulnerability is particularly dangerous considering how weak and simple the password is.
In another SHAREit bug, Core found that users can open a Wi-Fi hotspot without a password and potentially intercept files transfers from Windows to Android devices. The other two vulnerabilities showed ways in which an malicious actor could browse through your files or carry out man in the middle attacks, intercepting files between devices.
“The files are transfered via HTTP without encryption,” wrote Core’s researchers in their report. “An attacker that is able to sniff the network traffic could to view the data transferred or perform man in the middle attacks, for example by modifying the content of the transferred files.”
Ivan Huertas of Core Security first discovered the vulnerabilities last October and disclosed them to Lenovo privately before going public. Lenovo has since patched the vulnerabilities with details on its support page and provided information on updates.
“Following industry best practice, Lenovo has made available updated versions of SHAREit which fix and eliminate these vulnerabilities in advance of this disclosure,” said a spokesperson for the company. “Users can resolve the vulnerability from their devices by updating to the latest version of SHAREit.”
If you think you may have been affected, you will find these updates versions available on Lenovo’s website, or the Google Play Store, in the case of the Android app.
Editors' Recommendations
- The 1Password Android app just got a huge upgrade
- Disney+ to begin crack down on password sharing
- The Steam Deck and Nintendo Switch had a baby, and it’s Lenovo’s Legion Go
- Hackers may have stolen the master key to another password manager
- No, 1Password wasn’t hacked – here’s what really happened
