Computer security researchers uncovered a dangerous security vulnerability in the Lenovo Fingerprint Manager Pro app. According to the reports the fingerprint security authentication can be easily bypassed by malware users by inputting a hard-coded password.
Lenovo Fingerprint Manager Pro Can Be Bypassed Due to a Security Bug
Lenovo have published a critical security patch for their Fingerprint Manager Pro utility due to a dangerous vulnerability that has recently been discovered. According to the security reports the program which is responsible for the management of the fingerprint credentials contains a hard-coded password that can be used to override the authentication process.
The software is compatible with all major versions of the Microsoft Windows family (Windows 7, 8 and 8.1) and allows Lenovo customers not only to setup the operating system lock, but also store web services credentials as well. As it turns out this can be extremely dangerous in the presence of such bugs as malware operators can access banking accounts using it. The fingerprint credentials themselves are encrypted using a weak algorithm according to the contemporary security standards.
As a result of the vulnerability malware users with physical access to the machines can enter the password and receive unlimited access to the target computers. If the victim users have also configured any banking services to authenticate web services using the fingerprint scan and stored password credentials, then they can be accessed as well.
It is possible to compromise the target computers remotely by embedding the malware code in a virus or Trojan. Such attacks can be used against users of Lenovo products. Experienced computer criminals can easily create lists of potential victims by acquiring them through company forums and user communities.
Further Details About the Lenovo Fingerprint Security Bug
The bug disclosure reads that the bug impacts products across all ranges offered by the company — ThinkPad, ThinkCentre and ThinkStaton laptops, as well as desktop models.
The bug is also being tracked under the CVE-2017-3762 advisory which reads the following:
Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system in which it is installed.
The complete list includes the following products that are compatible with the Fingerprint Manager Pro and consequently vulnerable to the bug:
- ThinkPad L560
- ThinkPad P40 Yoga, P50s
- ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
- ThinkPad W540, W541, W550s
- ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
- ThinkPad X240, X240s, X250, X260
- ThinkPad Yoga 14 (20FY), Yoga 460
- ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
- ThinkStation E32, P300, P500, P700, P900a
All users should immediately upgrade to version 8.01.87 or later to address the issue. Users of Microsoft Windows 10 are not affected as the operating system can interface directly with the fingerprint reader.