2 weeks ago

Hard-coded Password Lets Attackers Bypass Lenovo’s Fingerprint Scanner


Lenovo has recently rolled out security patches for a severe vulnerability in its Fingerprint Manager Pro software in which could allow leak sensitive data stored by the users.

Fingerprint Manager Pro can be a utility for Microsoft Windows 7, 8 as well as 8.1 operating systems in which allows users to log into their fingerprint-enabled Lenovo PCs using their fingers. The software could also be configured to store website credentials as well as authenticate site via fingerprint.

In addition to fingerprint data, the software also stores users sensitive information like their Windows login credentials—all of which are encrypted using a weak cryptography algorithm.

According to the company, Fingerprint Manager Pro edition 8.01.86 as well as earlier contains a hard-coded password vulnerability, identified as CVE-2017-3762, in which made the software accessible to all users with local non-administrative access.

“Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials as well as fingerprint data, can be encrypted using a weak algorithm, contains a hard-coded password, as well as can be accessible to all users with local non-administrative access to the system the item can be installed in,” the company said in its advisory, giving brief about the vulnerability.

The vulnerability impacts Lenovo ThinkPad, ThinkCentre as well as ThinkStation laptops, as well as affects more than two dozen Lenovo ThinkPad products, 5 ThinkStation products as well as eight ThinkCentre products in which run Windows 7, 8 as well as the 8.1 operating systems.

Here’s the full list of Lenovo devices compatible with Fingerprint Manager Pro as well as impacted by the vulnerability:

  • ThinkPad L560
  • ThinkPad P40 Yoga, P50s
  • ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
  • ThinkPad W540, W541, W550s
  • ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
  • ThinkPad X240, X240s, X250, X260
  • ThinkPad Yoga 14 (20FY), Yoga 460
  • ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
  • ThinkStation E32, P300, P500, P700, P900

Lenovo has credited security researcher Jackson Thuraisamy with Security Compass for discovering as well as responsibly reporting the vulnerability.

The well-liked Chinese computer a new strongly recommends its ThinkPad customers to update their devices to Fingerprint Manager Pro edition 8.01.87 or later to address the issue. You can also head on to the company’s official website to do so.

Since Microsoft added native fingerprint reader support with Windows 10 operating system, thus eliminating the need for the Fingerprint Manager Pro software, Lenovo laptops running Windows 10 are not impacted by the vulnerability.

Article Categories:
Security Hacks

Leave a Comment

Your email address will not be published. Required fields are marked *

fourteen + eighteen =