The popular Chinese PC manufacturer Lenovo recently rolled out security patches for a severe vulnerability in its Fingerprint Manager Pro software that could allow attackers to more easily gain access to sensitive data stored by the users. It issued a fix for a hardcoded password flaw impacting ThinkPad, ThinkCentre, and ThinkStation laptops.
Lenovo Fingerprint Manager Pro is a utility that allows users to log into their PCs or authenticate to configured websites using fingerprint recognition.
In a security advisory notice giving brief about the vulnerability, Lenovo warns:
“A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows login credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in.”
The flaw affects nearly a dozen Lenovo laptop models that run versions of Microsoft Windows 7, 8 and the 8.1 operating system. Here’s the full list of them:
- ThinkPad L560
- ThinkPad P40 Yoga, P50s
- ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
- ThinkPad W540, W541, W550s
- ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
- ThinkPad X240, X240s, X250, X260
- ThinkPad Yoga 14 (20FY), Yoga 460
- ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
- ThinkStation E32, P300, P500, P700, P900
According to Lenovo, Fingerprint Manager Pro version 8.01.86 and earlier contains a hard-coded password vulnerability, that made the software accessible to all users with local non-administrative access. So, to address the issue, the company is urging users of the above-mentioned laptops to update their Lenovo Fingerprint Manager Pro version to 8.01.87 or higher.
However, Lenovo users with Windows 10 need to worry as they are not impacted by the vulnerability because that version of Microsoft’s operating system supports native fingerprint reader technology.