Lenovo Installs Superfish Adware On Its New Computers

Lenovo Installs Superfish Adware On Its New Computers

Oh no, Lenovo. Users are reporting on the company’s forums that its computers are coming installed with adware straight out of the box — that can monitor secure connections.

According to a number of Lenovo users, the software called Superfish is installed on factory-fresh laptops. The adware injects third-party ads into Google searches and on to websites without the user’s permission — on Chrome and Internet Explorer, at least. That, alone, is bad but not awful. But other users have pointed out that the adware can also install its own self-signed certificate authority — creating spurious SSL certificates — allowing it to monitor secure connections.

Security expert Kenn White has posted images on Twitter showing that, as an example, the software provides a certificate issued to Bank of America, but issued by Superfish — wheras usually that would be done by a trusted body like VeriSign. Given Superfish’s whole purpose is to check and forward browsing data to ad companies, allowing it access secure content in this way is clearly a Bad Thing.But it gets worse. It seems Superfish uses the same private key for its root certificate on every machine it’s installed on, explains The Verge. If someone could crack that key, it would be possible to create certificates that any Superfish-fuelled Lenovo computer — probably, at this point, most of them — would trust, allowing malicious code to wriggle in unannounced.

Appearing in forums in January, a Lenovo community administrator called Mark Hopkins wrote that Lenovo has “temporarily removed Superfish from our consumer systems” but defended its presence, explaining that it “helps users find and discover products visually” and “instantly analyses images on the web and presents identical and similar product offers that may have lower prices.” Now a rather serious security hole has been identified, it might think differently.

We’ve got in touch with Lenovo to find out what its current stance on Superfish is. [The Next Web, Verge]


The Cheapest NBN 50 Plans

It’s the most popular NBN speed in Australia for a reason. Here are the cheapest plans available.

At Gizmodo, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.