Lenovo File-Transfer Software Has Password '12345678'
In the past year, Lenovo developed a dubious track record of self-inflicted wounds, from preloading the security-disabling Superfish adware to bloatware that was impossible to remove. The company begins 2016 with another bruise to its reputation: its SHAREit file-sharing software is stunningly insecure, and all Lenovo PC owners should update the application.
SHAREit is similar to Apple's AirDrop, and uses Wi-Fi to exchange files among Windows PCs and iOS, Android and Windows Phone smartphones. Some of these devices can be temporarily transformed into stand-alone Wi-Fi hotspots to share files if wireless networks are not available.
But SHAREit comes with several major flaws, perhaps the worst of which is that temporary networks hosted on a PC have a hardcoded access password of “12345678” -- the "third-worst" password of 2015. That means SHAREit users could have their computers browsed by nearby strangers, who could copy any files off the devices. SHAREit also sends information in unencrypted plaintext over the HTTP protocol, which exposes users to man-in-the-middle attacks.
Another SHAREit flaw pertains to Android devices. The Android SHAREit app creates an open, unsecured Wi-Fi network with no password, and all data transferred over that network could be easily captured by an interlocutor.
Lenovo has created patches for these problems. Users of the SHAREit Windows application should visit the company’s download page to grab the update as soon as possible, and Android users should update their app or visit the download page on Google Play. (No flaws were found in the iOS or Windows Phone SHAREit apps.)
You don't want vulnerable software on your computer, and SHAREit is preinstalled on many Lenovo PCs. Lenovo also makes the software free to anyone with a compatible device.
The SHAREit flaws were discovered by Boston-based Core Security, which worked with Lenovo to fix the problem since October. An extensive but easy-to-read explanation of the problems list of notes is available on the Core Security website.