A high severity vulnerability was identified and fixed in Lenovo Fingerprint Manager Pro by the company which allowed anyone with physical access to the laptop gain login credentials and other sensitive data of a user.
Fingerprint manager pro is a software that comes pre-installed on Windows os running ThinkPad, ThinkStation, ThinkCentre machines. It helps to authenticate the users and log into their PCs using fingerprint rather than typing passwords manually.
The occurrence of the vulnerability is due to a fault in encryption algorithm of the windows login credentials which uses a hardcoded password. As a result, it can be accessed by anyone with local non-administrative access to the system.
The impacted products list running Windows 7, 8 and 8.1 include:
- ThinkPad L560
- ThinkPad P40 Yoga, P50s
- ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
- ThinkPad W540, W541, W550s
- ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
- ThinkPad X240, X240s, X250, X260
- ThinkPad Yoga 14 (20FY), Yoga 460
- ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
- ThinkStation E32, P300, P500, P700, P900
However, Lenovo rectified the vulnerability and released a patch on January 25th. The company also assures that Windows 10 models aren’t affected as these systems use Microsoft’s built-in fingerprint reader support.