In a advisory issued by ElcomSoft, it has been revealed that a security flaw has been discovered in the UPEK Protector Suite, the fingerprint reading software that had been shipped with majority of laptops equipped with UPEK fingerprint readers, until Authentec acquired the company and changed to a different software.
ElcomSoft reveals that until only recently, most major manufacturers, such as Acer, ASUS, Dell, Gateway, Lenovo, MSI, NEC, Samsung, SONY, Toshiba were using fingerprint readers that were manufactured by UPEK.
The UPEK Protector Suite manages a fingerprint reading hardware using which users can do away with typing passwords and instead just have a single finger swipe to the same effect. Over a course of time, the UPEK Protector Suite caches the passwords and users are offered almost instant logins to websites.
ElcomSoft mentions in its post that when multiple laptops running the UPEK Protector Suite were analysed, it was found that several Windows account passwords were stored in Windows registry in almost plain text.
The post goes on to add that gaining access to a laptop running the UPEK Protector Suite, it was possible to get passwords to all user accounts, using the finger swipe login.
Importantly, ElcomSoft notes that the scope of the problem is very broad and is not limited to a specific laptop model or manufacturer. Users who have ever registered their fingerprints with UPEK Protector Suite to have almost instant logons and entered their account password there, are at risk, as per ElcomSoft.
The post advises that users when launching UPEK Protector Suite, should disable the Windows Logon Feature which should clear the stored password on your laptop.