A filesharing utility for Android devices and Windows computers shipped by hardware vendor Lenovo has been found by security researchers to contain multiple, easily exploitable vulnerabilities
CoreSecurity discovered that the free Lenovo SHAREit tool for Windows creates a wi-fi hotspot with the password 12345678, allowing anyone to connect to the system running SHAREit.
On Android devices, SHAREit sets up an open wi-fi hotspot without any password at all, in order to receive files. This could allow attackers to connect to the Android device without authentication and capture information transferred, CoreSecurity said.
The researchers also noted that files were transferred using plain-text hyper text transport protocol (HTTP) with no encryption; this could allow attackers to intercept and modify data in man-in-the-middle scenarios on the same network.
It was also possible to browse - but not download - the file systems on Windows computers with SHAREit active, using a simple request to a webserver and by connecting with the default 12345678 password.
Core Security alerted Lenovo to the vulnerabilities in SHAREit on October 29 last year. Lenovo issued patched versions of SHAREit yesterday.