Lenovo Laptops Come Pre-Installed With Giant Security Hole

It’s not uncommon for a new PC to come with some pre-installed crap on it you don’t want. From proprietary hard drive management tools to antivirus trials, software bundling is sadly common. But the junk shipping on new Lenovo laptops goes one troublesome step further: the bloatware present on several models is not only annoying, but dangerous, with a vulnerability that could let someone easily access users’ private, nominally secure data.

The program is called Superfish. As Ars Technica explains, It’s meant to be “just” adware, scanning what you do and where you go and inserting advertisements while you do it. That, by itself, is pernicious and problematic enough. But the program also operates in such a way that any wandering third party with an eye for mischief could easily sneak in and steal your info.

For example, let’s say you want to do some online banking. Ordinarily you type in your bank’s URL and get an encrypted connection to it — that https that leads off the address bar. Your computer and your bank’s site then talk to each other. The bank site shows a security certificate saying, “Hey, I’m legit!” Your computer agrees that the bank is legit, the site loads, and you log in and carry on with your business.

But with Superfish installed, there’s a new link in that chain. You go to the bank’s website. Instead of the bank saying to your computer, “Hey, here’s my security certificate,” Superfish says to your computer, “Oh, no, it’s cool, the bank totally showed me its certificate. Totes legit. Here, take mine instead!”

As the saying goes, a chain is only as strong as its weakest link. And Superfish has a major weakness indeed: that fake security certificate is always the same, on every Lenovo computer. So if an info thief created a fake HTTPS site using Superfish’s credentials to siphon off personal data from every user that visited it, Superfish would pass it right on through as legitimate.

Basically, users of the affected Lenovo models have no real way of knowing whether the sites they visit are legitimate or not, because of the software that came pre-installed on the computer. Any kind of hijacking could be going on and the browser would have to report back that things are a-ok, showing a green light, a little lock, or whatever other indication users get that their HTTPS connection is secure and correct.

Lenovo owners apparently began to complain about the issue as far back as last September. Lenovo stopped installing the program in January, and says they are investigating the issue.

However, store shelves everywhere are full of computers that shipped prior to January, 2015 and will have Superfish on them. And uninstalling Superfish from your machine, as users can do, doesn’t actually remove the root certificate that’s the cause of the problem.

Lenovo has not clarified which specific models come with Superfish installed, nor have they yet released a way to solve the glaring security issue. With widespread public attention now on the problem, hopefully they’ll move quickly.

Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections [Ars Technica]