Lenovo is using the third worst password in the world

Last week security group SplashData revealed a list of the worst passwords.

Now, none other than tech giant Lenovo has been caught using one of the worst examples on the list to protect file transfers made with its SHAREit software.

SHAREit is a programme that comes bundled with most Lenovo laptops and
desktop computers, and allows users to transfer files to and from
devices wirelessly.

Related: Best free anti-virus

A security advisory from Core Security identifies the company as using the password ‘12345678’ to protect the WiFi hotspot that is created when using the service.

That’s number three on the list of worst possible passwords, directly after ‘123456’ and ‘password’.

The advisory states: “When the WiFi network is on and connected with the default password (12345678), the files can be browsed but not downloaded by performing an HTTP Request to the WebServer launched by Lenovo SHAREit.

“The files are transfered via HTTP without encryption. An attacker that is able to sniff the network traffic could to view the data transferred or perform man in the middle attacks, for example by modifying the content of the transferred files.”

A man in the middle attack involves the attacker secretly relaying and possibly altering communication between two parties who think they are only communicating with one another.

The advisory continues: “When the application is configured to receive files, an open WiFi HotSpot is created without any password. An attacker could connect to that HotSpot and capture the information transferred between those devices.”

Related: Best smartphones and mobile phones

There are several other vulnerabilities identified in the advisory, all of which are certainly cause for concern.

Sean Sullivan, Security Advisor at internet security firm F-Secure Labs, said: “It looks to me as though SHAREit is relying on ‘security through proximity’.

“The assumption being that anybody sharing wirelessly will be out of range of anybody with malicious intentions.

“I think that’s a rather poor assumption to make. A default password might be fine, but if the password is always ‘12345678’ with no option to change it – that’s a fail.”

This isn’t the first time Lenovo has had trouble with security.

Last year it was caught installing adware in the form of Superfish on several of its laptops.

Superfish collects data, such as web traffic information, to push adverts to users.

Following the revelation, Lenovo promised to reduce the amount of bloatware that came with their products and become “the leader in providing cleaner, safer PCs”.

TrustedReviews has reached out to Lenovo for a response.