Got a Lenovo computer? You might want to throw that out of the window right now if you value your privacy. Users are reporting on the company’s forums that its computers are coming installed with adware straight out of the box. The adware, called Superfish, could grant hackers access to a user’s secure browser data, allowing third parties to potentially collect passwords, bank details, and other sensitive information.
Superfish do this by injecting third-party ads into Google searches and on to websites without the user’s permission—on Chrome and Internet Explorer, at least. That, alone, is bad but not awful. But other users have pointed out that the adware can also install its own self-signed certificate authority—creating spurious SSL certificates—allowing it to monitor secure connections.
This is not the first time that Lenovo has been caught doing so. A Lenovo community administrator, Mark Hopkins, wrote in late January that the software would be temporarily removed from current systems after irate users complained of popups and other unwanted behavior, “We have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.” He went on to defend the program, stating that it “helps users find and discover products visually” and “instantly analyzes images on the web and presents identical and similar product offers that may have lower prices.”
This is a problem. #superfish pic.twitter.com/jKDfSo99ZR
— Kenn White (@kennwhite) February 19, 2015
Security expert Kenn White has posted images on Twitter showing that, as an example, the software provides a certificate issued to Bank of America, but issued by Superfish—whereas usually that would be done by a trusted body like VeriSign. The nature of Superfish, a program capable of checking web traffic and sending that data onwards for advertising purposes, means that hackers could potentially access information transmitted across supposedly secure connections — online stores and banking sites, for example, that have https:// in their URLs, and display a lock in users’ browsers.
Lenovo is far from the only OEM that pre-installs software on its computers but putting what very much looks to be malware on machines is something pretty outrageous.
