What do you expect a tech giant to protect your backdoor security with?





Holy Cow! It's "12345678" as a Hard-Coded Password.





Yes, Lenovo was using one of the most obvious, awful passwords of all time as a hard-coded password in its file sharing software SHAREit that could be exploited by anyone who can guess '12345678' password.





The Chinese largest PC maker made a number of headlines in past for compromising its customers security.





CoreLabs issued an Now, Research center of Core Securityissued an advisory on Monday that revealed several software vulnerabilities in Lenovo SHAREit app for Windows and Android that could result in:

Information leaks

Security protocol bypass

Man-in-the-middle (MITM) attacks



Critical Vulnerabilities in SHAREit

SHAREit is a free file sharing application that is designed to allow people to share files and folders from Android devices or Windows computers over a local LAN or through a Wi-Fi hotspot that's created.





All the vulnerabilities were remotely exploitable and affected the Android 3.0.18_ww and Windows 2.5.1.1 versions of SHAREit.





Here's the list of four vulnerabilities:

Use of Hard-coded Password [CVE-2016-1491]

Missing Authorization [CVE-2016-1492]

Missing Encryption of Sensitive Data [CVE-2016-1489]

Information Exposure [CVE-2016-1490]

How Dare You! The first vulnerability ( CVE-2016-1491 ) would make you scream…



Using '12345678' as Hard Coded Password



Lenovo was using '12345678' as a hard-coded password in SHAREit for Windows that has been awarded the title of the Third Worst Password of 2015 by the password management firm SplashData.





Here's what Core Security researchers explain:

"When Lenovo SHAREit for Windows is configured to receive files, a Wi-Fi HotSpot is set with an easy password (12345678). Any system with a Wi-Fi Network card could connect to that Hotspot by using that password. The password is always the same."

This is ridiculous especially when the passwords in any application are hard-coded and unchangeable by an average user, putting its consumers and their data at risk.



Other Critical Flaws Left Millions of Users at Risk



second vulnerability ( However, the issue got worse when the CVE-2016-1492 ) came into play. In the second flaw, that applied only to SHAREit for Android, an open WiFi hotspot is created without any password when the app is configured to receive files.





This could have allowed an attacker to connect to that insecure WiFi hotspot and capture the data transferred between Windows and Android devices.

third flaw ( transfer of files via HTTP without encryption. This didn't end here. Both Windows and Android were open to the CVE-2016-1489 ) that involved the





This allowed hackers to sniff the network traffic and view the data transferred or perform Man-in-the-Middle (MitM) attacks in order to modify the content of the transferred files.





Finally, the last but not the least, fourth vulnerability (CVE-2016-1490) discovered by CoreLabs relates to the remote browsing of file systems within Lenovo ShareIt and builds upon the default 12345678 Windows password issue reported above.

"When the Wi-Fi network is on and connected with the default password (12345678), the files can be browsed but not downloaded by performing an HTTP Request to the WebServer launched by Lenovo SHAREit," says the advisory.



Patch Now!

The researchers at Core Security privately reported the flaws to Lenovo back in October last year, but the tech giant took three months to patch the flaws.



