Padlock
David Goehring/Flickr, CC BY 2.0
SHARE

No, Superfish isn’t the next comic-book movie to hit theaters; it’s an advertising software program that’s caused a headache for computer maker Lenovo. The company pre-installed the software on many of its consumer laptops, where it basically injects ads into webpages as users surf. That’s intrusive enough—and that’s what the software is designed to do.

But security experts recently discovered that by injecting these ads, Superfish opened up a major opportunity for hackers: It essentially allowed them to hijack the process of authenticating secure websites.

There are two essential parts to a secure connection: encryption and authentication. Encryption makes sure that the communications between you and a site are secure, so that no third party can listen in. Authentication proves that the site you’re communicating with is actually who it claims to be. When you access a secure site—such as your bank or an e-commerce vendor—your browser checks that site’s certificate, much in the same way a bouncer might check one’s ID. The certificate is issued by a certificate authority, a trusted third-party who has confirmed that the site that claims to be, say, Bank of America, is in fact run by Bank of America.

But Superfish’s workaround meant that it could interpose itself into the authentication process; in other words, it became a de facto certificate authority, letting it “confirm” the identities of secure sites without actually knowing whether or not they were who they claimed to be. Superfish’s goal by doing this was to be able to inject its ads into pages secured with HTTPS, which it otherwise wouldn’t be able to access. As a side effect, however, it also meant that anybody who could figure out how to compromise Superfish’s certificate (which a security researcher quickly did) could essentially trick affected Lenovo machines into believing, for example, that a phishing site was actually your bank’s site.

Lenovo, for its part, says that only some of its PCs shipped between October and December 2014 had Superfish installed, and that it stopped pre-loading the software as of January. The company also provided both an automatic removal tool and instructions to manually remove Superfish.

All of this only highlights the danger of pre-installed software. It rarely benefits the end user, and it often seems as though the vendors don’t thoroughly audit the programs to see how they affect their customers. Adware is a violation enough; security vulnerabilities only add injury to the insult.