When Lenovo shipped some of their notebook products worldwide last year, some users discovered they came with a piece of pre-installed tracking software. The software, Superfish, was created by a company of the same name, which apparently paid Lenovo “very minor compensation” to be able to install the software on their computer models.

Why is this a big deal?
Superfish pushes ads on the laptop owner’s browser. While this is mildly annoying, that’s not the problem. The big issue in the words of one of the first users who discovered the adware:
“[Superfish] will hijack ALL your secure web connections (SSL/TLS) by using self-signed root certificate authority, making it look legitimate to the browser.”

What this essentially means is, the tracking software tricks the computer’s browser into thinking it has a secure connection, even when it doesn’t. This is so it can sneak in more annoying ads to the browsers of unsuspecting users, but in doing so it makes way for a massive breach in security by potentially exposing users to what is known in the computer security world as a “man-in-the-middle” attack.

Superfish got this network interception technology from another tech firm, Komodia, who has called their SSL interception engine a “hijacker” that allows easy access to data as well as “the ability to modify, redirect, block, and record the data without triggering the target browser’s certification warning.”

While this is already bad enough, Komodia uses the same key for all computers – and the key has been proven to be easily extractable, making it easier for attackers to use it to sign their own certificates. What’s more its own SSL validation is broken – it validates untrusted/invalid/self-signed certificates. It is as many say: “spectacularly bad.”

With Superfish/Komodia installed, that HTTPS page you’re looking at – when you’re doing online banking, for example – may not be as secure as it seems. While it takes some effort and some serious hacking knowledge and skills, attackers can exploit this weakness and use it to get people’s sensitive information such as passwords, emails, or credit card details.

Not just Superfish
To make things even worse, it isn’t just Superfish that uses the Komodia engine. Other programs have been found that use the same technology as well and these include:

  • ArcadeGiant
  • CartCrunch Israel
  • Catalytix Web Services
  • Objectify Media
  • OptimizerMonitor
  • Over the Rainbow Tech
  • Say Media Group
  • SecureTeen
  • System Alerts
  • WiredTools L

Getting rid of it
Lenovo has since admitted and apologized to users for this massive mistake. They have gone on record saying: “We messed up badly here. We made a mistake. Our guys missed it. We’re not trying to hide from the issue – we’re owning it.”

In case you’re using a Lenovo computer and are worried about having the Superfish vulnerability on your system or if you just want to make sure that you don’t have any Komodia-powered software on your computer, you can visit Valsorda’s online Superfish CA test If the page displays a “YES”, you can follow Lenovo’s instructions to remove the software.

You can also get more information from CERT/CC at http://www.kb.cert.org/vuls/id/529496.

26 Comments
  1. The first thing any savvy computer buyer should do is uninstall the mountain of bloatware that manufacturers bundle with laptops. Even if not dangerous, this stuff hogs resources and is mostly useless.

  2. I honestly hate when PCs come with pre installed stuff. First thing I always do is format the HDD and make a fresh install of an OS. This is a procedure I would suggest to anyone especially those who are buying PCs which are already ”set up” for use. How Lenovo managed to ”miss” something as important as this is beyond me.

  3. I’ve got a Lenovo X220 from a few years ago, I assume I should be safe since this was done just last year right? Though I never did uninstall the Lenovo software that came with my laptop, since some of it seems useful enough. It really is shameful for Lenovo to add tracking software to their computers, at least they admitted and so that’s another plus for Lenovo in my books.

  4. I don’t like when software is added to any of my computers because they sow the unit down and are full of viruses and maleware. This companies make it extremely hard to remove theses programs as well and require you to buy a removal software, which is probably full of viruses itself. Really, it’s all a game because these companies are in on it together and they keep that money circulating.

  5. I think this just adds yet another benefit to building your own machine. It’s already time consuming to have to remove all of the bloatware that we’ve come to know and love on machines that are sold at Walmart and BestBuy. Bloatware has always been annoying, but apparently it’s moved into the dangerous category, especially for users of computers that don’t understand that the stuff that comes pre-installed on their computer isn’t always useful. The added fact that apparently “compensation” is now being given to manufacturers to allow dangerous software on prebuilt machines is a dangerous precedent to be setting.

  6. Lenovo really dropped the ball on this one, and this incident made quite the nasty impressions when they launched their new models.

    This is really quite disturbing; https and ssl certificate technology was perhaps the last great security measure against phishing and malicious internet websites. I always install the https everywhere addon in my browser but if my laptop were to have superfish, all of that wouldn’t have mattered.

    • I used to think Lenovo was a really cool company, but after this incident I no longer trust them one bit, who would, right? I was thinking of buying a lenovo laptop last year, right after my old Toshiba laptop kicked the bucket, but I didn’t. I’m so glad I didn’t!

      The lenovo laptop I wanted to get sounded great, with a longer battery life than the Toshiba I ended up buying, I regretted it at first, but not anymore.

  7. I recently heard about this whole superfish thing with Lenovo, and I have to say I’m very disappointed in that company. I was going to buy a new laptop this summer and it was down to either Lenovo or Asus. Guess I know which brand I’m going with…

  8. Wow. I’m never going to buy another Lenovo product again, and I trust many other people will do the same. The damage done to the brand is probably irreversible, sacrificing the security of your clients for short-term profit will never pay off in the long run.

  9. Shame on the Lenovo guys for doing that! They should have never allowed that company do that, that is just not ethical and I bet a lot users will think it twice before buying one of those computers! I for one will never buy anything from Lenovo, not after reading this article. I’m sicking to Toshiba after this laptop kicks the bucket.

    • I know. I myself own a Lenovo product and I guess I didn’t know that actually happened. I thought it was just good in terms of price but they do that for their own benefit.

  10. I think you have just put me off buying anything from Lenovo. I find it very worrying that an ad tracking piece of software can just be added in to something you buy and breach security for you without your even being aware of it. I do not understand all the technical stuff, but I find it worrying enough that you can look up something in your browser and then find targeted ads on the next ad sense or other ad something website you visit. It does not make the world feel a very safe place and one wonders if sooner or later this kind of thing will not be used to spread some insidious kind of propaganda. It is probably already used to collect more information than we know about us.

    I think one reason why there is such a problem with unwanted software being added to what we buy is that most of us would not have a clue it exists and just put up with it. Many people on finding it would think using a software removal tool complicated and be afraid to use it in case they messed up their computer. That means they pay out to get someone else to do it, if indeed, they are evcr aware of it at all.

  11. Wow, wow, wow. If I had purchased one of these computers, I don’t think there are words to accurately describe how angry I would have been to find out my personal security had been compromised in such a manner. This issue seems worth a big lawsuit. There is NO excuse for this to have happened and Lenovo needs to be punished in order to bring awareness to them and other manufacturers so they will be fanatical about not letting anything like this ever happen again.

  12. My sister bought a Lenovo laptop a number of years ago and really liked it, so I’ve always thought well of them. It’s such a disappointment when companies you trust end up being fishy. Man-in-the-middle attacks are pretty serious business. I had a friend lose a few thousand dollars due to man-in-the-middle problems (although not related to Superfish – it was a different problem). Part of me can’t help but wonder if Lenovo might have been forced by… well, maybe there’s some weird government conspiracy here is what I’m trying to say! I’m a sucker for conspiracy theories though 🙂

  13. Any time I purchase any OEM computer system or device, I always completely wipe it and install a fresh OS on it. One can never tell what dodgy software come preinstalled on these computers. Even trusted names like Sony have had their credibility shaken with rootkits and trying to install things without the customer’s knowledge.

  14. It is very scary that a very high level company like Lenovo would let something as dangerous as this get through. Makes me wonder what they were doing dealing with something like Superfish anyways. It is a good thing that it was discovered and Lenovo is taking it head on, but it worries me that something like this could happen to a different company and people may not find out as quickly.

    • I don’t want too sound too judgmental or mean, but I have the suspicion Lenovo knew what they were getting into; they just didn’t see beyond the cash they were going to get. They probably thought they’d be able to get away with it… that happens when you let greed cloud your judgement.

  15. This is disgusting. Superfish probably paid Lenovo a million dollars to preload this app, and look where its gotten them. This is how greed and capitalism are ruining the lives of thousands of people.
    If I was bribed like this, I would say “NO!”

  16. The article is definitely very informative. I haven’t heard about this before and now im more aware of how easy it is for companies to create this kind of stuff that will not only fool our browsers/computers, but also fill and ruin our browsing expierences with annoying ads.

  17. Wow, that’s really a bad thing that happened to Lenovo! Even though I’m glad they are owning up to their mistake, they should really be more careful with what deals they sign.
    Things like this can really ‘shatter’ a company’s integrity.

  18. Lenovo did a very dumb move. They were most likely in it for the money. Letting another company have programs installed on every model? Sounds very fishy to me if I was Lenovo. I would do background checks and I would hire someone to check out if this program can cause any harm. Once again, very stupid on Lenovo’s behalf.

  19. We’ve actually recently-ish a few months-a year ago, it was however a desktop not a laptop.

    This is the first time I’ve ever heard of Superfish however and I will be checking our computer for it definitely! There ween’t any ads on the browsers at all which was a good sign. Luckily we don’t do internet banking of any kind and I don’t think even purchased anything online through that computer which is good.

    Thank you for the heads up though, I might have missed this otherwise!

  20. Superfish? More like Spyfish, if you ask me. Giants like Lenovo don’t tend to make mistakes with their products, but when they do, it’s big. How can one team of professionals (I assume they have professionals at Lenovo) miss bloatware while checking the bundle? Man, they screwed up on this one…

    • Either that or they received a pretty hefty backhander! I am not convinced that this was “missed” at all!

  21. I think it could be something to worry about if people aren’t so cautious when it comes to using the internet. I think a lot of things could be something to worry about if not extra caution is taken, to be honest, I’m not that afraid since I think I’m experienced.

  22. I had heard about this, but I didn’t know it was this bad. The way you put it, it sounds like this might be the biggest and dumbest mistake a company has ever made, I wonder if this affected their sales in any way? Common sense says it did, but you never know. I took the test, it’s awesome because it let me know they didn’t detect any other SSL disabling software in my PC.

Leave a Reply