Lenovo’s fingerprint authentication app had bad bugs that made it easy to hack

lenovo, fingerprint, vulnerability

This is pretty jarring. Lenovo has confirmed its in-house authentication software Fingerprint Manager Pro (version 8.01.86), which lets users unlock their devices using fingerprint recognition, was affected by a severe vulnerability which attackers could exploit to access to any system equipped with the app.

As per Lenovo’s disclosure, Fingerprint Manager contained a hard-coded password that made it accessible to all users with local non-administrative access. In addition to this, it stored sensitive information like Windows logon credentials and fingerprint data which were “encrypted using a weak algorithm.”

Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in,” the report read.

The flaw was discovered by researcher Jackson Thuraisamy from Security Compass.

For those unfamiliar, Fingerprint Manager allowed users with fingerprint-enabled Lenovo devices to log in using their fingers.

The faulty software is available for Windows 7, 8 and 8.1. According to a details posted on the company’s website, this is the full list of devices compatible with Fingerprint Manager:

  • ThinkPad L560
  • ThinkPad P40 Yoga, P50s
  • ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
  • ThinkPad W540, W541, W550s
  • ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
  • ThinkPad X240, X240s, X250, X260
  • ThinkPad Yoga 14 (20FY), Yoga 460
  • ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
  • ThinkStation E32, P300, P500, P700, P900

Users running an affected iteration of the authentication app are advised to immediately update to version 8.01.87 or later. You can do so by clicking here.

The security blunder is not the first on the company’s record. Back in 2015, Lenovo got its website hacked – a week after it was caught secretly loading adware on new computers.

Read next: Official Galaxy S9 renders have leaked