This is pretty jarring. Lenovo has confirmed its in-house authentication software Fingerprint Manager Pro (version 8.01.86), which lets users unlock their devices using fingerprint recognition, was affected by a severe vulnerability which attackers could exploit to access to any system equipped with the app.
As per Lenovo’s disclosure, Fingerprint Manager contained a hard-coded password that made it accessible to all users with local non-administrative access. In addition to this, it stored sensitive information like Windows logon credentials and fingerprint data which were “encrypted using a weak algorithm.”
“Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in,” the report read.
The flaw was discovered by researcher Jackson Thuraisamy from Security Compass.
For those unfamiliar, Fingerprint Manager allowed users with fingerprint-enabled Lenovo devices to log in using their fingers.
The faulty software is available for Windows 7, 8 and 8.1. According to a details posted on the company’s website, this is the full list of devices compatible with Fingerprint Manager:
- ThinkPad L560
- ThinkPad P40 Yoga, P50s
- ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
- ThinkPad W540, W541, W550s
- ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
- ThinkPad X240, X240s, X250, X260
- ThinkPad Yoga 14 (20FY), Yoga 460
- ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
- ThinkStation E32, P300, P500, P700, P900
Users running an affected iteration of the authentication app are advised to immediately update to version 8.01.87 or later. You can do so by clicking here.
The security blunder is not the first on the company’s record. Back in 2015, Lenovo got its website hacked – a week after it was caught secretly loading adware on new computers.
- Java vs Go: Which programming language is best to learn?
- A quarter of British adults trust social media platforms with their data: Survey
- Five ways new businesses can benefit from Artificial Intelligence
- Google has just made it harder for you to steal photos from Google Images
- The Last KDE Linux Mint in Detail