Laptops from many of the world's top PC makers contain fingerprint readers that utilize the vulnerable software, ZDNet reported Thursday. Russia's ElcomSoft, a developer of Windows software, said it discovered a flaw in the UPEK Protector Suite, a fingerprint reader software program, that compromises a computer's security.
Protector Suite lets users utilize a finger swipe in place of entering a password. The software records passwords to Web sites and Windows itself to support the one-finger logon.
"We found that your Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted," ElcomSoft's Olga Koksharova wrote in a blog. "We could extract passwords to all user accounts with fingerprint-enabled logon. Putting things into perspective: Windows itself never stores account passwords unless you enable 'automatic login,' which is discouraged by Microsoft."
Windows allows activation of the setting after warning users automatic logon is a security risk.
The UPEK flaw is "nothing but a big, glowing security hole compromising the entire security model of Windows accounts," ElcomSoft said.
Laptop manufacturers using UPEK software include Acer, ASUS, Dell, Gateway, Lenovo, MSI, NEC, Samsung, Sony, and Toshiba.
Users with UPEK Protector Suite software should disable the Windows logon feature, ElcomSoft said.