Computer manufacturer Lenovo makes generally excellent computers and laptops, but for some reason it struggles with basic security. In the last two years, it's shipped laptops with the insecure SuperFish adware, its website was hacked, it had to patch a basic flaw in the Lenovo Service Engine, and it had to patch three flaws in the pre-installed Lenovo Solution Center. Any of these could have been easily prevented.
Now we're learning that Lenovo made possibly the most basic error ever in its SHAREit app for Windows and Android. The SHAREit app is supposed to make it easy to share files between gadgets. However, it actually opens those gadgets up to a number of attacks.
In fact, there are four security flaws in the SHAREit app, including sending files without encryption, making it easy for third parties to connect to your shared files to browse and download them. However, the big one is how SHAREit sets up Wi-Fi hotspots to start file sharing.
Lenovo decided to use a hard-coded password for the Wi-Fi hotspot, meaning that you, the user, can't change it. And every version of SHAREit uses the same password. That's already a problem because a hacker who figures out the one password can connect to any SHAREit hotspot.
However, Lenovo didn't even make it hard for them to figure out. The password Lenovo chose was, get ready for it, "12345678." You might remember a story we just ran on the worst passwords of 2015. If so, you might recall that "12345678" was third on the list of terrible passwords, after "123456" and "password."
Just think for a moment about how a team of highly paid computer programmers settled for a password that, we're sure, everyone reading this right now knows not to touch with a 10-foot pole. Yeah, we can't wrap our heads around it either.
Lenovo has released an updated version of SHAREit to fix the security problems. So, if you're using SHAREit, make sure you have something newer than 18.104.22.168 for Windows or 3.0.18 for Android. Or, switch to another cloud-based sharing service like Dropbox or Google Drive.