Lenovo’s SHAREit App for Android and Windows smartphones has multiple vulnerabilities
SHAREit is a popular App for Android smartphones and Windows Phone which users use to transfer large files between two smartphones. The App which has been developed by PC maker, Lenovo, transfers files very quickly between PCs and smartphones using Wi-Fi and has upwards of 5 million downloads world over has been found to besieged with multiple vulnerabilities.
The researchers from Core Security’s CoreLabs have discovered that the SHAREit App can leak information as well as passwords due to flaws. According to the researchers, Lenovo SHAREit version for Android 3.0.18_ww and Lenovo SHAREit version for Windows 18.104.22.168 were found to have multiple vulnerabilities which could result in integrity corruption, information leak and security bypasses.
According to the CoreLabs researchers, the SHAREit for Windows Phone is particularly risky because has hardcoded password which can be easily exploited by potential hackers.Core Security said that when the app is configured to receive files from devices, it sets up a Wi-Fi hotspot with the same 12345678 password every time.
The updated app removes that default password, but not before it opened the door to another hole that could allow attackers to remotely browse a device’s file system.
“When the WiFi network is on and connected with the default password (12345678), the files can be browsed but not downloaded by performing an HTTP Request to the WebServer launched by Lenovo SHAREit,” Core Security said in its advisory, and also shared the request used to carry out the attack.
CoreLabs researchers also noted that the SHAREit App for both the Windows and Android version transferred files in plain text over HTTP which can be sniffed by any potential hacker easily. “An attacker that is able to sniff the network traffic could to view the data transferred or perform man in the middle attacks, for example by modifying the content of the transferred files,” Core Security said.
The final vulnerability affects only the Android version of the app, which when configured to receive files, it does so over a Wi-Fi hotspot that is created by the app without a password. “An attacker could connect to that HotSpot and capture the information transferred between those devices,” Core Security said.
CoreLabs has informed Lenovo about the vulnerabilities in SHAREit App for both Windows and Android smartphones and Lenovo on its part has updated the App for both the platforms.