Earning a high severity level from Lenovo’s own security advisory, anyone currently using a select number of the company’s Thinkpad, ThinkStation, and Thinkcentre systems should know that there’s an important vulnerability that needs to be fixed.
That’s because hidden within Lenovo’s Fingerprint Manager Pro software, there’s a flaw on machines running Windows 7, 8, and 8.1 that could potentially let a hacker log in to your computer using a hardcoded password, bypassing the fingerprint scanner, and even decrypt your current Windows credentials.
According to Lenovo, “A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in.”
Thankfully, this vulnerability was only exploitable to those with local access to the system, meaning that any attempts to bypass Lenovo’s fingerprint security had to be done in person, rather than online. And as of Thursday, 25th January, Lenovo has released an update (version number 8.01.87) that includes fixes for the various issues.
For a full list of the affected machines, see the list below.
ThinkPad P40 Yoga, P50s
ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
ThinkPad W540, W541, W550s
ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
ThinkPad X240, X240s, X250, X260
ThinkPad Yoga 14 (20FY), Yoga 460
ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
ThinkStation E32, P300, P500, P700, P900