Oh no, Lenovo. Users are reporting on the company’s forums that its computers are coming installed with adware straight out of the box — that can monitor secure connections.
According to a number of Lenovo users, the software called Superfish is installed on factory-fresh laptops. The adware injects third-party ads into Google searches and on to websites without the user’s permission — on Chrome and Internet Explorer, at least. That, alone, is bad but not awful. But other users have pointed out that the adware can also install its own self-signed certificate authority — creating spurious SSL certificates — allowing it to monitor secure connections.
Security expert Kenn White has posted images on Twitter showing that, as an example, the software provides a certificate issued to Bank of America, but issued by Superfish — wheras usually that would be done by a trusted body like VeriSign. Given Superfish’s whole purpose is to check and forward browsing data to ad companies, allowing it access secure content in this way is clearly a Bad Thing.But it gets worse. It seems Superfish uses the same private key for its root certificate on every machine it’s installed on, explains The Verge. If someone could crack that key, it would be possible to create certificates that any Superfish-fuelled Lenovo computer — probably, at this point, most of them — would trust, allowing malicious code to wriggle in unannounced.
Appearing in forums in January, a Lenovo community administrator called Mark Hopkins wrote that Lenovo has “temporarily removed Superfish from our consumer systems” but defended its presence, explaining that it “helps users find and discover products visually” and “instantly analyses images on the web and presents identical and similar product offers that may have lower prices.” Now a rather serious security hole has been identified, it might think differently.
We’ve got in touch with Lenovo to find out what its current stance on Superfish is. [The Next Web, Verge]