If you bought a Lenovo computer some time since September 2014, your shiny new system may contain a piece of spyware called Superfish a/k/a Visual Discovery. It's a software package that intercepts your Web page connections and inserts advertising into the displayed pages. What makes this piece of garbage particularly nasty is that it also comes with a fake root certificate authority (rootCA) that allows it to intercept and inject ads into encrypted SSL/TLS connections as well.
Shortly after news broke of its discovery, it was announced that the fake rootCA's private key has been cracked, allowing anyone with the private key to snoop on all SSL/TLS browser traffic on a machine afflicted with Superfish.
And no, its presence wasn't due to an accident while creating the master install image. Lenovo put it there deliberately.
Here's how to get rid of Superfish and the fake rootCA.
If Lenovo is to be believed (snort), the spyware was only installed on machines between September and December 2014, although messages on discussion fora mention the spyware's presence as early as June 2014. The story appears to still be in motion -- early reports suggested no laptop products were affected, while Lenovo's current statement claims only select laptops were affected.
Lenovo released a statement on the issue today, which I quote below in full (fair-use customs be damned):
Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:
- Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
- Lenovo stopped preloading the software in January.
- We will not preload this software in the future.
We know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.
To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product. The relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively.
We are providing support on our forums for any user with concerns. Our goal is to find technologies that best serve users. In this case, we have responded quickly to negative feedback, and taken decisive actions to ensure that we address these concerns. If users still wish to take further action, detailed information is available at http://forums.lenovo.com.
Superfish may have appeared on these models:
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30
Interesting that business-class Thinkpad T, W, and X series weren't (
apparently) affected. Perhaps having major corporate accounts discover their supplier is trying to pwn them isn't good for business...?
So my question is: Who greenlit this? When was user reaction to any piece of adware ever positive? Who thought compromising SSL/TLS integrity was a good idea (besides Gogo Inflight Internet, I mean)? All in the service of fscking advertising? At the very least, someone needs to lose their job over this.