A high severity vulnerability was identified and fixed in Lenovo Fingerprint Manager Pro by the company which allowed anyone with physical access to the laptop gain login credentials and other sensitive data of a user.
Fingerprint manager pro is a software that comes pre-installed on Windows os running ThinkPad, ThinkStation, ThinkCentre machines. It helps to authenticate the users and log into their PCs using fingerprint rather than typing passwords manually.
The occurrence of the vulnerability is due to a fault in encryption algorithm of the windows login credentials which uses a hardcoded password. As a result, it can be accessed by anyone with local non-administrative access to the system.
The impacted products list running Windows 7, 8 and 8.1 include:
ThinkPad P40 Yoga, P50s
ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
ThinkPad W540, W541, W550s
ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
ThinkPad X240, X240s, X250, X260
ThinkPad Yoga 14 (20FY), Yoga 460
ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
ThinkStation E32, P300, P500, P700, P900
However, Lenovo rectified the vulnerability and released a patch on January 25th. The company also assures that Windows 10 models aren’t affected as these systems use Microsoft’s built-in fingerprint reader support.