Skip to main content

Lenovo protected its file sharing app with “12345678” password

lenovo android yoga laptop tablet store storefront sign hq headquaters
Image used with permission by copyright holder
A security researcher has discovered a number of vulnerabilities in Lenovo’s SHAREit app, the worst being the use of “12345678” as a hard-coded, default password. The problems have been patched in the software’s latest release.

SHAREit is an app found on many of Lenovo’s products to allow users to share files across devices. Some ThinkPad, and IdeaPad computers, along with Lenovo smartphones, were impacted by the bug.

Core Security found four vulnerabilities in the app but the password issues stick out the most. In one of its advisories, Core Security found that when the app is receiving files, it sets a password (in this case “12345678”) on a Wi-Fi hotspot. This meant someone could access the hotspot by guessing the password, which always stayed the same, according to Core.

“This is an example of an external hard-coded password on the client-side of a connection. This code will run successfully, but anyone who has access to it will have access to the password,” the advisory said. The vulnerability is particularly dangerous considering how weak and simple the password is.

In another SHAREit bug, Core found that users can open a Wi-Fi hotspot without a password and potentially intercept files transfers from Windows to Android devices. The other two vulnerabilities showed ways in which an malicious actor could browse through your files or carry out man in the middle attacks, intercepting files between devices.

“The files are transfered via HTTP without encryption,” wrote Core’s researchers in their report. “An attacker that is able to sniff the network traffic could to view the data transferred or perform man in the middle attacks, for example by modifying the content of the transferred files.”

Ivan Huertas of Core Security first discovered the vulnerabilities last October and disclosed them to Lenovo privately before going public. Lenovo has since patched the vulnerabilities with details on its support page and provided information on updates.

“Following industry best practice, Lenovo has made available updated versions of SHAREit which fix and eliminate these vulnerabilities in advance of this disclosure,” said a spokesperson for the company. “Users can resolve the vulnerability from their devices by updating to the latest version of SHAREit.”

If you think you may have been affected, you will find these updates versions available on Lenovo’s website, or the Google Play Store, in the case of the Android app.

Editors' Recommendations

Jonathan Keane
Former Digital Trends Contributor
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
Hackers may have stolen the master key to another password manager
keepass master password plain text vulnerability open padlock cybersecurity

The best password managers are meant to keep all your logins and credit card info safe and secure, but a major new vulnerability has just put users of the KeePass password manager at serious risk of being breached.

In fact, the exploit allows an attacker to steal a KeePass user’s master password in plain text -- in other words, in an unencrypted form -- simply by extracting it from the target computer’s memory. It’s a remarkably simple hack, yet one that could have worrying implications.

Read more
No, 1Password wasn’t hacked – here’s what really happened
A person using the 1Password password manager on a laptop while sat on a couch.

Password managers have been struggling with security breaches in recent months, with LastPass suffering a particularly bad hack as a notable example. So when 1Password users got an alert last week saying their Secret Keys and passwords had been changed without their knowledge, they were understandably panicked. Luckily, all was not what it seemed.

That’s because AgileBits, the company behind 1Password, has just explained exactly what went wrong during that event. And while it wasn’t as bad as everyone first thought, it still doesn’t paint AgileBits in a particularly good light.

Read more
Lenovo just killed its Legion gaming phones, and that’s a shame
The Lenovo Legion Phone Duel 2.

There had been some recent rumors that Lenovo would be sunsetting its Legion brand gaming phones, and now it's been officially confirmed.

In a statement to Android Authority, Lenovo confirmed that it will be stopping its current gaming phone efforts as the company restructures its approach to its "gaming portfolio."

Read more