According to Lenovo's disclosure details, Fingerprint Manager includes a hard-coded password that is used to access local non-administrator users. In addition, the app stores fingerprints such as Windows credentials and fingerprinting using "bad algorithm".
Wrote: "Sensitive data stored by Lenovo Fingerprint Manager Pro, including user's Windows credentials and fingerprinted data encrypted using a poorly fragile algorithm, contains a hardcoded password that gives access to all local non-administrative Account. "
The vulnerability was discovered by Jackson Thuraisamy from Security Compass. According to information posted on the Lenovo website, a complete list of devices equipped with Fingerprint Manager is included
ThinkPad P40 Yoga, P50s
ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
ThinkPad W540, W541, W550s
ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
ThinkPad X240, X240s, X250, X260
ThinkPad Yoga 14 (20FY), Yoga 460
ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
ThinkStation E32, P300, P500, P700, P900
Affected device users recommended as soon as possibleAfter installing 8.01.87 version.