PSA: Lenovo buyers BEWARE - Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections (EDIT 2/23/15: LAWSUIT PENDING)
Deal DetailsLast Edited by franzcatch February 23, 2015 at 12:54 PM
Quote :Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections [Updated]
Superfish may make it trivial for attackers to spoof any HTTPS website
Lenovo is selling computers that come preinstalled with adware that hijacks encrypted Web sessions and may make users vulnerable to HTTPS man-in-the-middle attacks that are trivial for attackers to carry out, security researchers said.
The critical threat is present on Lenovo PCs that have adware from a company called Superfish installed. As unsavory as many people find software that injects ads into Web pages, there's something much more nefarious about the Superfish package. It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.
Even worse, the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine. Attackers may be able to use the key to certify imposter HTTPS websites that masquerade as Bank of America, Google, or any other secure destination on the Internet. Under such a scenario, PCs that have the Superfish root certificate installed will fail to flag the sites as forgeries--a failure that completely undermines the reason HTTPS protections exist in the first place.
[Update: Lenovo has released a statement saying Superfish was installed on consumer laptops shipped between October and December 2014. The manufacturer said it stopped preloading Superfish in January 2015 and has no plans to resume the practice. Amazingly, the company said it did "not find any evidence to substantiate security concerns," but added that it's responding to them anyway.
Quote :"Lenovo admitted to pre-loading the Superfish adware on some consumer PCs, and unhappy customers are now dragging the company to court on the matter. A proposed class-action suit was filed late last week against Lenovo and Superfish, which charges both companies with 'fraudulent' business practices and of making Lenovo PCs vulnerable to malware and malicious attacks by pre-loading the adware. Plaintiff Jessica Bennett said her laptop was damaged as a result of Superfish, which was called 'spyware' in court documents. She also accused Lenovo and Superfish of invading her privacy and making money by studying her Internet browsing habits."
Removal instructions: http://www.tomsguide.c
This post can be edited by most users to provide up-to-date information about developments of this thread based on user responses, and user findings. Feel free to add, change or remove information shown here as it becomes available. This includes new coupons, rebates, ideas, thread summary, and similar items.
Once a Thread Wiki is added to a thread, "Create Wiki" button will disappear. If you would like to learn more about Thread Wiki feature, click here.