Lenovo ThinkPads hit by fingerprint software flaw
05 February 2018 17:05 GMT

Lenovo has had to issue a patch after fingerprint software was found to have a vulnerability in the company's ThinkPad, ThinkCentre and ThinkStation devices.

The flaw in Lenovo's Fingerprint Manager Pro enabled attackers to log into devices running Windows 7, 8 and 8.1, and let anyone log into your PC with a hardcoded password, skipping the fingerprint reader altogether. Both would require physical access to your PC.

Because the exploit can only be done via local access to the system, the hacker has to physically be in front of the affected notebook in order to take full advantage of the flaw.

"A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in," explained Lenovo.

Machines that have been updated to, or shipped with, Windows 10 are not affected. Those machines use Microsoft's own fingerprint-reading software.