Lenovo File-Transfer Software Has Password '12345678'

  • MORE

In the past year, Lenovo developed a dubious track record of self-inflicted wounds, from preloading the security-disabling Superfish adware to bloatware that was impossible to remove. The company begins 2016 with another bruise to its reputation: its SHAREit file-sharing software is stunningly insecure, and all Lenovo PC owners should update the application.

screen shot 2016 01 27 at 10.31.58 am

SHAREit is similar to Apple's AirDrop, and uses Wi-Fi to exchange files among Windows PCs and iOS, Android and Windows Phone smartphones. Some of these devices can be temporarily transformed into stand-alone Wi-Fi hotspots to share files if  wireless networks are not available.

But SHAREit comes with several major flaws, perhaps the worst of which is that temporary networks hosted on a PC have a hardcoded access password of  “12345678” -- the "third-worst" password of 2015. That means SHAREit users could have their computers browsed by nearby strangers, who could copy any files off the devices. SHAREit also sends information in unencrypted plaintext over the HTTP protocol, which exposes users to man-in-the-middle attacks

MORE: Best Antivirus Protection for PC, Mac and Android

Another SHAREit flaw pertains to Android devices. The Android SHAREit app creates an open, unsecured Wi-Fi network with no password, and all data transferred over that network could be easily captured by an interlocutor.

Lenovo has created patches for these problems. Users of the SHAREit Windows application should visit the company’s download page to grab the update as soon as possible, and Android users should update their app or visit the download page on Google Play. (No flaws were found in the iOS or Windows Phone SHAREit apps.)

You don't want vulnerable software on your computer, and SHAREit is preinstalled on many Lenovo PCs. Lenovo also makes the software free to anyone with a compatible device.

The SHAREit flaws were discovered by Boston-based Core Security, which worked with Lenovo to fix the problem since October. An extensive but easy-to-read explanation of the problems list of notes is available on the Core Security website.

Author Bio
Henry T. Casey
Henry T. Casey,
After graduating from Bard College a B.A. in Literature, Henry T. Casey worked in publishing and product development at Rizzoli and The Metropolitan Museum of Art, respectively. Henry joined Tom's Guide and LAPTOP having written for The Content Strategist, Tech Radar and Patek Philippe International Magazine. He divides his free time between going to live concerts, listening to too many podcasts, and mastering his cold brew coffee process. Content rules everything around him.
Henry T. Casey, on
Add a comment
1 comment
  • Sam Smith Says:

    This is worrisome. I own a Lenovo Yoga, no preinstalled Superfish, and I've been somewhat satisfied. However, I've had some build issues and articles like this make me take pause.

    --
    Sam Smith
    Technology Evangelist and Aspiring Chef.
    Large file transfers made easy.
    Innorix DS

Back to top