Lenovo's Fingerprint Manager Pro exposed user passwords, security update released
Lenovo announced that week that a security vulnerability exposed user login credentials and fingerprint data through the proprietary Fingerprint Manager Pro software. This utility comes with most of Lenovo’s ThinkPad, ThinkCentre and ThinkStation PCs, and its deficient encryption algorithm could be exploited to bypass the fingerprint scanner altogether in order to gain access to the entire system.
On January 25, Lenovo issued a security update with the explanation that the software only affected devices running Windows 7/8/8.1, but not Windows 10, as this version has its own fingerprint manger known as Hello. Lenovo also specified that the vulnerability was exploitable only via local access of the affected device, so hackers could not actually gain remote control of the systems using internet connections. This vulnerability was identified by Jackson Thuraisamy from Security Compass.
It seems like Lenovo knew about this problem for some time, as the vulnerability announcement advises affected users to install version 8.01.87 released on January 12, and still chose to make the situation public only on January 25.