Recent reports state Lenovo has been installing adware onto new consumer computers from the company that activates when the machine is switched on for the first time.
The adware, called "Superfish", has reportedly been installed on a number of Lenovo's consumer laptops.
The Superfish adware is known to infuse third-party ads on Google searches and websites without the user's consent. As of now, Superfish has affected Internet Explorer and Google Chrome on these Lenovo computers. This is bad news for the tech fraternity, but mostly for those who recently invested in a Lenovo computer.
With the newly-exposed Lenovo adware making the rounds across the web, experts are of the opinion that the world's biggest computer maker shipped laptops with pre-installed software that could allow hackers to steal passwords and other sensitive information when shopping online, paying bills or even check emails.
Mark Hopkins, a Lenovo community administrator, noted late January that the software would be temporarily removed from current systems after enraged users complained of random pop-ups and other similar redundant behaviour.
"We have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues," Hopkins wrote.
Hopkins also went on to defend the hardware, stating that it "helps users find and discover products visually" and that it "instantly analyzes images on the web and presents identical and similar product offers that may have lower prices." He also says that users can decline the terms and conditions when setting up their laptop.
The problem, as of now, affects an unknown number of computers. Lenovo says it shipped "some" laptops with Superfish between September and December, last year, before it stopped because of the growing customer complaints. In reality though, the word "some" could easily cover a large number of machines.
Going by numbers, Lenovo shipped more than 16 million laptops and desktops in the fourth quarter. However, the company said on Thursday that it had disabled the offending software and would provide customers with a tool that permanently removes the program from their computers.
Several users have already reported about the existence of the adware in their Lenovo-made machines. Some say the adware installs on its own self-signed certificate authority which successfully allows the software to pry on secure connections, including banking websites.
This is a wicked technique commonly known as a "man-in-the middle" attack, where, according to a Next Web report, "the certificate allows the software to decrypt secure requests." But still, it seems like Lenovo is shipping this software with some of its products.
"This means that anyone affected by this adware cannot trust any secure connections they make," researcher Marc Rogers wrote on his blog. Experts also say Superfish can re-use the same encryption certificate for every computer. This means a hacker who cracks the Superfish key could be open to broad access to a variety of online transactions.
And to make things worse, chief executive of Errata Security Robert Graham claimed in a blog post on Thursday that he was easily able to decode the Superfish encryption password in a few hours. However, there are no reports of hackers trying to steal information from the affected laptops as yet.
Lenovo recently apologized to customers while also confirming that it's working with users to enable laptop computer owners to remove the pre-installed software that potentially exposed them to hacking attacks and unauthorized activity monitoring. Lenovo posted links on Twitter to its website with information about the software and removal instructions.
"The Superfish software undermines Internet security for the rather ridiculous purpose of serving advertisements," said Rainey Reitman, director of activism at the Electronic Frontier Foundation. "It's a severe security issue, and frankly a betrayal by Lenovo of all of its affected customers."
Even though Hopkins claims that the company has stopped installing the software on computers, it appears the arrangement is only "temporary" until the company behind the software introduces a few tweaks that will get rid of those unwanted pop-ups. That being said, reports of Superfish being pre-loaded on Lenovo computers have appeared on forums as early as mid-2014.
"We messed up badly here," Peter Hortensius, Lenovo's chief technology officer, said in an interview. "We made a mistake. Our guys missed it. We're not trying to hide from the issue -- we're owning it." Superfish, on the other hand, said in a statement that the company is "completely transparent in what our software does and at no time were consumers vulnerable."
As widespread as the latest Lenovo Superfish issues sound, it's not good news when considering all the hoopla companies create over online security when selling their products. The Lenovo users had to, and will still, bear most of the brunt related to the situation. And if you use a Lenovo machine, let us know if you have come across the adware in the comments section below.
