The world’s largest computer seller is backing away from Superfish after security advocates and customers reacted with discontent to the pre-installed app experts say is a form of adware and opens PC users to cyber hackers.
China-based Lenovo had previously acknowledged the presence of the Superfish app it pre-loaded on some of its machines between September and January.
“Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually,” a North Carolina-based Lenovo administrator told an Internet message board last month. “When a user is interested in a product, Superfish will search instantly among more than 70,000 stores to find similar items and compare prices so the user can make the best decision on product and price.”
However, many consumers did not view the application as one that will enhance their web surfing experience. Security experts have said Superfish opens up many doors for cyber attacks and leaves users’ encrypted web data — including secure online passwords — susceptible to interception. Some have even gone so far to speculate that Lenovo has manipulated the computers’ security certificate processes to implement the ad strategy.
“If Lenovo was doing this, it would have to interrupt what’s known as the certificate chain,” Forbes magazine’s Thomas Fox-Brewster wrote in a story Thursday. “With Superfish, it’s been claimed Lenovo is using a self-signed certificate to appear as a trusted party (which it no doubt considers itself to be) along the chain.”
Fox-Brewster also noted that Lenovo could, if it wanted to, abuse the software to spy on its customers.
Thursday, Lenovo announced that it had disabled the software so it will no longer affect computers already installed with the app, and that it stopped installing them on machines last month.
“We know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software,” the company said in the statement.
In its response, Lenovo made an attempt to clarify its intention by pre-installing the software.
“To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted,” the statement said.
Adi Pinhas, Superfish’s chief executive, told the Wall Street Journal in an email that Lenovo customers were not at risk running the app.
However, computer security expert Robert Graham, CEO of Errata Security, wrote in a blog post that he himself was able to crack Superfish’s own security settings.
“The consequence is that I can intercept the encrypted communications of Superfish’s victims (people with Lenovo laptops) while hanging out near them at a café Wi-Fi hotspot,” he said.
In its statement, Lenovo assured customers that it would not load Superfish on any of its devices in the future, largely as a result of the negative customer feedback.
“Our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively,” the company said.