If you’re using Lenovo Fingerprint Manager Pro, update your software

Lenovo Fingerprint Manager Pro is an application that shipped on more than two dozen Lenovo ThinkPad laptops and desktops released with Windows 7, Windows 8, and Windows 8.1 software. The company stopped shipping it on systems that come with Windows 10, because Microsoft has added native support for fingerprint recognition to the operating system.

But if you have one of those older systems, Lenovo’s software would let you login to the PC with a fingerprint or access websites and other content using your fingerprint rather than by typing in a password.

Unfortunately, Lenovo Fingerprint Manager Pro was kind of a security nightmare. Lenovo has released a security notice urging anyone using the software to upgrade to a newer version (although I wouldn’t blame you for just deciding to stop using it altogether).

The language in the advisory is pretty interesting, since Lenovo basically admits that its software was easily hackable, and it doesn’t sound like the company took any common-sense steps to ensure that it wasn’t:

A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in.

Lenovo gives credit to Jackson Thuraisamy from Security Compass for identifying the issue, but it really sounds like bad design rather than a flaw that needed to be “identified.”

You can find the list of affected Lenovo PCs in the security notice. And if you want to keep using the software, you can download the latest version from the Lenovo support site.

via The Register and ThreatPost