Lenovo has disclosed a high severity flaw that could let hackers bypass its fingerprint scanner and decrypt sensitive data Reuters/Kim Kyung-Hoon

Lenovo has disclosed a security vulnerability in some of its devices that could allow a malicious actor to bypass the fingerprint scanner.

The security flaw was discovered in its Fingerprint Manager Pro software — an application embedded in certain Lenovo products that allows users to easily log into their PC and authenticate configured websites using fingerprint recognition.

In a security advisory issued last week, the company warned that sensitive data stored by the software, including users' Windows login credentials and fingerprint data, is encrypted using a weak algorithm. The fingerprint scanner also features a hard-coded password that is "accessible to all users with local non-administrative access to the system it is installed in".

The high severity-rated flaw could potentially allow a hacker to log into a vulnerable computer using the hard-coded password and decrypt one's credentials and sensitive data. However, the vulnerability can only be exploited by a person with physical access to the machine and cannot be done remotely or online, the company noted.

Select models of Lenovo's ThinkPad, ThinkCentre and ThinkStation systems are affected by this vulnerability. Jackson Thuraisamy from Security Compass first identified the issue and reported it to Lenovo.

Devices running Lenovo Fingerprint Manager Pro for Windows 7, 8 and 8.1 versions are affected. Models with Windows 10 have not been affected by the flaw.

The company has already released an update on 25 January — version number 8.01.87 — that fixes the vulnerability CVE-2017-3762.

Users have been advised to download and install version 8.01.87 or later of the Fingerprint Manager Pro app. Here is the full list of affected machines according to Lenovo:

  • ThinkPad L560
  • ThinkPad P40 Yoga, P50s
  • ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
  • ThinkPad W540, W541, W550s
  • ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
  • ThinkPad X240, X240s, X250, X260
  • ThinkPad Yoga 14 (20FY), Yoga 460
  • ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
  • ThinkStation E32, P300, P500, P700, P900