If you’ve bought a Levono device in recent times, then it may have come with adware known as Visual Discovery by Superfish, and it’s a major problem.
Effectively, Superfish is a software add-on which serves to bring up extra ads while you’re browsing a site, even if it’s a secure HTTPS site.
However, the flaws in its security would allow any hacker to carry out man-in-the-middle attacks, which allows them to both intercept messages as well as alter them or include their own messages. This means that private and secure information like passwords, financial details and personal information could be intercepted.
Superfish wasn’t intended as malware. Lenovo has said it was designed to show targeted ads by analyzing images of products that a user might see on the web and then presenting “identical and similar product offers that may have lower prices.” Lenovo said the software doesn’t track users or collect any identifying information.
But some users initially complained the software shows unwanted “pop-up” ads. And this week, several independent experts reported that Superfish works by substituting its own security key for the encryption certificates that many websites use to protect users’ information. “This means that anyone affected by this adware cannot trust any secure connections they make,” researcher Marc Rogers wrote on his blog.
What’s worse, experts said, is that Superfish appears to re-use the same encryption certificate for every computer, which means a hacker who cracked the Superfish key could have broad access to a variety of online transactions.
The CEO of Errata Security, Robert Graham discovered that it allowed him to intercept encrypted communications of anyone using Superfish by being near them at a cafe WiFi hotspot.
In a statement, Lenovo said it stopped the preloads back in January models and listed the models Superfish would have appeared on.
We thought the product would enhance the shopping experience, as intended by Superfish. It did not meet our expectations or those of our customers. In reality, we had customer complaints about the software. We acted swiftly and decisively once these concerns began to be raised. We apologize for causing any concern to any users for any reason – and we are always trying to learn from experience and improve what we do and how we do it.
How to remove it
If you do own a Lenovo computer and want to remove it, there are a few methods to use. The easiest way to check is to use a web service from password manager LastPass, which will tell you if your computer is safe or not.
If you do have it installed, then it details how exactly you can uninstall both the programme and the certificates it uses. Even if it comes up as safe, it’s worth delving into control panel just to be on the safe side.
Once that’s done, it’s recommended that you change your passwords to any online services that you use. You could use a password manager like LastPass to create more complex passwords or other services like 1Password or KeePass.
(Additional reporting by AP)