Software shipped with Lenovo computers for biometric authentication contains a hardcoded password and allows for easy decryption of stored data, researchers have found.
Security Compass researcher Jackson Thuraisamy reported to Lenovo that its Fingerprint Manager Pro utility shipped with Windows 7, 8 and 8.1 computers encrypts operating system credentials and biometrics data with a weak algorithm, making it easily crackable.
Additionally, the software contains a hardcoded password that means any users with local system access could view the stored data.
Lenovo is now advising users to upgrade to version 8.01.87 of Fingerprint Manager Pro, which is patched against the vulnerabilities.
A total of 39 models of ThinkPad laptops and ThinkCentre and ThinkStation computers shipped with Fingerprint Manager Pro included.
The PC vendor has a chequered history when it comes to security. It was fined several millions of dollars last year for shipping computers with the unsafe Superfish software.
