Superfish, a little-known Silicon Valley startup, has been facing criticism for quite a long time for its software named Superfish that has exposed Lenovo laptop users to hackers. This software is unintentionally aiding hackers in stealing personal information of users. The pre-loaded program Superfish is available on Lenovo laptops, sold between September 2014 and January 2015.

As per security researchers, the vulnerability discovered in Superfish,  can open doors for hackers to impersonate on shopping, banking and other websites and steal user’s personal information, including credit card numbers. Though Lenovo did not react on the number of user-owned laptops that are infected with the software, as per CNET reports, the Chinese company sold 16 million Windows computers between September 2014 and January 2015.

Lenovo has since apologized for pre-loading computers with Superfish’s visual search software, which captures images of users’ online pattern and then shows them ads of similar products. As per Lenovo, the software was working fine until Superfish went for third-party software addition. This addition enabled Superfish software to easily spy on secured and encrypted websites visited by Internet users.

What is Superfish Software?                     

Superfish is basically an adware, which is meant to place advertisements in your web browser, but is no longer safe for use. It intercepts the traffic to open up your computer to man-in-the-middle attacks, which works in parallel to the Heartbleed security bug discovered last year. In fact, Superfish software goes a step ahead and injects ads even into encrypted ‘HTTPS’ websites, such as secure retail sites or banking sites. This malicious adware succeeds in infecting even the secured sites because its digital signature is added to the list of ‘Root Certificates’ by Lenovo. Here’s everything that Superfish can do using these liabilities:

  • Hijack legitimate connections
  • Keep  track of user activity
  • Collect personal information and upload it to its servers.
  • Inject advertising on its legitimate pages
  • Use man-in-the-middle attack method to open up secure connections
  • Present users with its own fake certificates instead of the legitimate site’s certificate.

What next?

Looking at the growing security concerns of its users, Lenovo has released a tool to remove the already installed software – Superfish. The Removal tool for Superfish can be downloaded from this page http://support.lenovo.com/us/en/product_security/superfish_uninstall. The tool will have to be downloaded first, but will run without installation. Lenovo has released this tool under a public license and has placed the source code on the developer website Github, so that security experts can analyze the tool and work accordingly if any improvisation is required.

In the meantime, Lenovo and Superfish, who are charging each other for the fraudulent practices, have been dragged to court by unhappy customers. The lawsuit was filed by the consumers after Lenovo admitted of pre-loading Superfish on some consumer laptops.