Lenovo’s Fingerprint Manager Pro featured in its ThinkPad, ThinkStation and Thinkcentre computers has a security vulnerability that exposes users to potential hacking risks. The news was relayed by Lenovo in a forum post expanding upon the security flaw, along with which computers are affected.
The vulnerability allows hackers to use a hardcoded password to access Windows login credentials and fingerprint data due to a weak algorithm. The affected computers are running Windows 7, 8 and 8.1. Lenovo computers running Windows 10 did not require the software, avoiding the flaw altogether.
Here is Lenovo’s complete statement of the flaw:
A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in.
The good news is that the vulnerability can only be exploited by those who have local access to the system, meaning potential hackers need to have direct access to the computers. Lenovo has since pushed out an update, version 8.01.87, to patch the flaw. Below is a list of the computers that may have come with Lenovo’s Fingerprint Manager Pro installed. If you own a computer that is affected, update accordingly.
- ThinkPad L560
- ThinkPad P40 Yoga, P50s
- ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
- ThinkPad W540, W541, W550s
- ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
- ThinkPad X240, X240s, X250, X260
- ThinkPad Yoga 14 (20FY), Yoga 460
- ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
- ThinkStation E32, P300, P500, P700, P900