Lenovo has apparently been a very naughty company as reports are coming in of adware coming pre-installed on Lenovo systems.
The adware, named Superfish, is reportedly installed on devices out of the box and it’s a bit more difficult to get rid of it than you might expect. The software injects ads when users browse the web, with Google searches being a primary target. A number of antivirus programs report Superfish as adware and recommend uninstalling it.
Despite that, Lenovo claims it’s useful software that helps users “discover products visually”. The company also responded to public backlash saying they would temporarily discontinue shipping the software while a new version is developed that doesn’t actually inject ads into users’ browsing sessions. Meanwhile, those already affected by the adware, need to wait for the software’s developers to push out an update that fixes this behavior.
While that sounds pretty horrible it gets much worse. There are some reports showing that Superfish doesn’t just inject ads. It also installs its own security certificate which shares its private key. This allows any software that uses that key to fool the device into thinking its legitimate Microsoft software. It would then be able to decode encrypted data such as the one sent between you and your bank.
This could effectively allow the software to perform a man-in-the-middle attack on your private data. Internet Explorer and Chrome could be affected by this, while Firefox is currently safe thanks to its independent certificate repository. And the security certificate itself doesn't get removed alongside the program so users could still be vulnerable even if they get rid of Superfish.
There’s no evidence yet that this is actually happening, but the possibility itself will no doubt be troubling to many Lenovo device owners.
How the company chooses to act now may make the difference between a relatively small mishap and a major scandal with lasting repercussions for the company.