Lenovo ShareIT is a multiplatform application designed to share files between multiple devices (smartphones, tablets and computers) connected to the same network. Thanks to this application we are able to copy files from one device to another without using additional applications or create PAN networks (eg Bluetooth) and taking advantage that gives us a simple local network, saving data and ensuring that everything remains secure and private, without being stored on third party servers without other people to seize it.
But if we want to guarantee the security and privacy of our files we must ensure that we are using secure configurations and the latest versions of the software. Recently, a group of researchers from Core Security have reported a series of basic safety failures in the application of Lenovo ShareIT.
The latest to earlier versions of Lenovo ShareIT are affected by four elementary security flaws :
These security researchers have detected a total of 4 security problems in this application, 3 of them affect the Windows version and two of them to the Android app, one of the shared failures in both versions.
- The first failure, referred to as CVE-2016-1491, is in the password that is created when they go to share files between two devices via a Wi-Fi personalized access. By creating this access point password is enabled by default 12345678 which, being within the code, the user can not modify.
- The second failure, CVE-2016-1490, intensifies from the first. Because of this failure, an unauthorized user can connect to the network and send a specific HTTP packet to the secret server that enables ShareIT to access all files stored in the user memory.
- The third failure, known as CVE-2016-1489, is present on both the Windows application and the Android and due to the lack of encryption on file at the time of transfer, which are sent without any protection.
- Finally, the fourth vulnerability, CVE-2016-1492, only affects the version of Android. This vulnerability is similar to the first, although in this case, instead of using a static password, access points lack of Android password, allowing any user to connect to the network and intercept files.
Versions affected by these failures are Lenovo ShareIT 3.0.18 (and earlier) for Android and Lenovo ShareIT 126.96.36.199(and earlier) for Windows. If you are users of this application then you must make sure to download the latest version of the tool, available for free from their main website.
Are You Lenovo ShareIT user? Do you know of other similar applications to share files between devices? Hope you liked it and do share your views through comments.