A security flaw was recently identified in Fingerprint Manager Pro, an application developed by Lenovo that allows users to log into Windows machines and online websites by scanning one of their fingerprints using the fingerprint scanner embedded in selected Lenovo products.
Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in.
This vulnerability allows an attacker to take advantage of the hardcoded password to bypass fingerprint authentication, and even decrypt existing Windows logon credentials and fingerprint data. Lenovo Fingerprint Manager Pro for Windows 7, 8, and 8.1 versions are affected.
What Can You Do?
Update your device with the latest version of Lenovo Fingerprint Manager Pro that fixes the said problem. The company advises users with the affected Lenovo machines to install the latest version as soon as possible. The update can be found here: https://pcsupport.lenovo.com/us/en/downloads/ds034486
Here is a list of the affected systems:
- ThinkPad L560
- ThinkPad P40 Yoga, P50s
- ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
- ThinkPad W540, W541, W550s
- ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
- ThinkPad X240, X240s, X250, X260
- ThinkPad Yoga 14 (20FY), Yoga 460
- ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
- ThinkStation E32, P300, P500, P700, P900