14 DAY TRIAL // Lenovo has released new versions of its SHAREit file sharing app for Windows and Android to address four security bugs discovered by Core Security Technologies, a US-based security vendor.
Lenovo Shareit is a file sharing application for Windows, Android, and iOS devices. The app lets users share files between their phone, tablet, laptop, and desktop, and uses a series of predestined folders to move files around, similarly to how Dropbox works.
While the SHAREit's description gives you the impression of a well put-together app, Core Security's researchers were surprised to find a series of pretty basic security bugs that would have allowed easy access to someone's files and devices.
On Windows: hard-coded WiFi hotspot password "12345678"
Researchers found four bugs, three for the Windows app, and two for the Android version, with one bug shared between both versions.
The first issue (CVE-2016-1491) discovered in the SHAREit app for Windows is a hard-coded password, left in the app's source code. When the app is getting ready to receive files, it sets up a WiFi hotspot on the Windows machine it runs on, which has the default password "12345678." This password is always the same each time a WiFi hotspot is started, and users can't change it unless they alter the app's source code.
The second issue (CVE-2016-1490) escalates from this first bug and can be exploited while this WiFi hotspot is open. Attackers could browse files on the computer that runs the WiFi hotspot by sending specific HTTP requests to a Web server that the app has also secretly opened.
The third issue (CVE-2016-1489) that affects the Windows app but also the Android app is the lack of encryption when transferring files between devices.
This exposes users to MitM (Man-in-the-Middle) attacks from any malicious party that can access the WiFi hotspot that's created to allow the file sharing operations.
On Android: No password at all
The fourth issue (CVE-2016-1492), unique to the Android version, is similar to the first one, but instead of using a hard-coded password, the Android app uses no password at all, allowing any nearby attacker to connect to the hotspot and intercept file transfers without anything stopping them.
Affected versions include Lenovo SHAREit for Android 3.0.18_ww (and possibly earlier) and Lenovo SHAREit for Windows 2.5.1.1 (and possibly earlier).
If you're using SHAREit on a regular basis, head on to Lenovo's website to download the latest versions of these apps.