Lenovo's File Sharing App Included Some Pretty Irresponsible Security Bugs

[Exterminator]

Content source

http://news.softpedia.com/news/lenovo-s-file-sharing-app-included-some-pretty-iresponsible-security-bugs-499408.shtml

Lenovo has released new versions of its SHAREit file sharing app for Windows and Android to address four security bugs discovered by Core Security Technologies, a US-based security vendor.

Lenovo SHAREit is a file sharing application for Windows, Android, and iOS devices. The app lets users share files between their phone, tablet, laptop, and desktops, and uses a series of predestined folders to move files around, similarly to how Dropbox works.

While the SHAREit's description gives you the impression of a well put together app, Core Security's researchers were surprised to find a series of pretty basic security bugs which would have allowed easy access to someone's files and devices.

On Windows: Hard-coded WiFi hotspot password "12345678"
Researchers found four bugs, three for the Windows app, and two for the Android version, with one bug shared between both versions.

The first issue (CVE-2016-1491) discovered in the SHAREit app for Windows is a hard-coded password, left in the app's source code. When the app is getting ready to receive files, it sets up a WiFi hotspot on the Windows machine it runs on, which has the default password "12345678." This password is always the same each time a WiFi hotspot is started, and users can't change it unless they alter the app's source code.

The second issue (CVE-2016-1490) escalates from this first bug, and can be exploited while this WiFi hotspot is open. Attackers could browse files on the computer that runs the WiFi hotspot by sending specific HTTP requests to a Web server that the app has also secretly opened.

The third issue (CVE-2016-1489) that affects the Windows app, but also the Android app is the lack of encryption when transferring files between devices.

This exposes users to MitM (Man-in-the-Middle) attacks from any malicious party that can access the WiFi hotspot that's created to allow the file sharing operations.

On Android: No password at all
The fourth issue (CVE-2016-1492), unique only to the Android version, is similar to the first issue, but instead of using a hard-coded password, the Android app uses no password at all, allowing any nearby attacker to connect to the hotspot and intercept file transfers without anything stopping him.

Affected versions include Lenovo SHAREit for Android 3.0.18_ww (and possibly earlier), and Lenovo SHAREit for Windows 2.5.1.1 (and possibly earlier).

If you're using SHAREit on a regular basis, head on to Lenovo's website to download the latest versions of these apps.

 

[LabZero]

Well, before Superfish, then Lenovo System Update that allows you to download from the company servers updates for drivers and other software, including security patches (found token generation vulnerability)... and now SHAREit!

 

[jamescv7]

Too bad for Lenovo, they bought already problematic from their bundled programs whereas suppose to operate smoothly even considered others to be unnecessary for bundled products.

If the problem may occur, then not surprise if the fate may happen to Samsung but in other story version of phase out laptops.

 

[DracusNarcrym]

Lenovo are really loose on their quality policies regarding their OEM software.
And by "loose", I would mean utterly careless.

This would apply to the vast majority of OEM software, anyway, however Lenovo is quite prevalent in the market and so they should be much more careful regarding the development of software they ship with their devices.

 

[Exterminator]

I have a couple Lenovo's and the first thing I do is remove everything as is my standard operating procedure for HP and ASUS as well.
There is really nothing I am going to miss or really use and lately the security vulnerabilities make this a must.

 

[DracusNarcrym]

I have a couple Lenovo's and the first thing I do is remove everything as is my standard operating procedure for HP and ASUS as well.
There is really nothing I am going to miss or really use and lately the security vulnerabilities make this a must.

I couldn't agree more.
OEM software is generally fragile and vulnerable, are prone to various malfunctions and are definitely not on a regular development schedule.
It's best to remove them, most of the times. At least, any laptop user's experience says so...

 

[jamescv7]

OEM software are not bad actually however manufacturers like Lenovo serves as an example of nearly 'abusing' the selection of programs to be install on those laptops.

Honestly other brand does not contain security risk and even unnecessary components but rather more useful from typical users.