Lenovo PCs Preloaded with Dangerous Adware
A vulnerability has been discovered in a piece of software that ships pre-loaded onto Lenovo computers that could grant hackers access to a user’s secure browser data, allowing third parties to potentially collect passwords, bank details, and other sensitive information.
Superfish, an adware program that Lenovo admitted in January it included as standard on its consumer PCs, reportedly acts as a man-in-the-middle” so it can access private data for advertising purposes. The adware makes itself an unrestricted root certificate authority, installing a proxy capable of producing spurious SSL certificates whenever a secure connection is requested. SSL certificates are small files, used by banks, social networks, retailers such as Amazon, and many others, to prove to incoming connections that the site is legitimate. By creating its own SSL certificates, Superfish is able to perform its advertising tasks even on secure connections, injecting ads and reading data from pages that should be private.
—The Verge 2/19/15
Lenovo has responded to The Verge, saying it is “thoroughly investigating all and any new concerns raised regarding Superfish.” The company also confirmed that Superfish disabled activation on existing machines last month and that it had been removed from new machines. In January, the company said the technology was innocuous, but the company’s defense of the adware failed to take into account the glaring security hole the world’s largest PC manufacturer has apparently built into thousands of its PCs.
—The Verge 2/19/15
