LENOVO’S FINGERPRINT SOFTWARE has been fingered as the culprit for leaving user passwords vulnerable on the company’s ThinkPad, ThinkCentre and ThinkStation devices.
In a mea culpa moment, Lenovo confirmed the vulnerability in its Fingerprint Manager Pro software that comes bundled in several dozen of its ThinkThingy machines.
While the Chinese computer maker has released a patch to plug the hole, the weak encryption in the software could allow hackers to get hold of a hard-coded password and crack into a machine by bypassing the fingerprint scanner.
“A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in,” explained Lenovo.
So that’s a bit of a facepalm moment for Lenovo. But the vulnerability only affected machines running Windows 7 and Windows 8.1, not Windows 10. To be honest, if you stuck with the mess that was Windows 8.1, you probably have more worries than flawed fingerprint software.
To exploit the security hole, hackers would also need to have had physical access to an affected machine, so many Lenovo users probably would have been safe if they made sure to keep the office’s Shifty Steve away from their ThinkMachines.
That being said, Lenovo did mark the flaw as having a high severity, but at least there’s a fix out so no need to panic.
Lenovo’s track record with pre-loaded software isn’t stellar as the firm has been slapped pretty hard for having spyware-based adware pre-installed on its laptops from 2014 onwards. No one likes bloatware but having it snoop on you would make even the most patient person kick up a fuss. µ
Source : Inquirer