Lenovo has issued a fix for several flaws in a file-sharing utility called SHAREit; which the company happens to bundle with its laptops. The vulnerabilities, which were found by Core Security, would enable any attackers to conduct man-in-the-middle attacks against those using the utility.
SHAREit is an application that allows users to share their files from Windows computers or Android devices through a WiFi hotspot or local LAN. The most significant flaw in SHAREit was the presence of a hard-coded password. A problem which was compounded by having one of the worst passwords in existence: 12345678.
The Android app version of SHAREit avoided this problem by not having a password in the first place; allowing just about anyone to connect to its WiFi hotspot.
Core Security also took issue with the fact that SHAREit transferred files over regular HTTP without encryption. As stated by the company: “The files are transferred via HTTP without encryption. An attacker that is able to sniff the network traffic could view the data transferred or perform man-in-the-middle attacks, for example by modifying the content of the transferred files.
When the application is configured to receive files, an open WiFi hotspot is created without any password. An attacker could connect to that hotspot and capture the information transferred between those devices.”
SHAREit has now been updated on both Android devices and Windows computers with some improvements in terms of security. The app has a new “secure mode” which allows users to create their own unique passwords before sharing files, preventing attackers from connecting. SHAREit now uses an Advanced Encryption System (AES) 256-bit encryption while transferring files.